13 2 4 13 0 0x8000000000000000 45624 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10.snapattack.labs - SetValue 2023-04-26 15:25:24.917 43199D79-C787-637B-0B00-000000001100 636 C:\Windows\system32\services.exe HKLM\System\CurrentControlSet\Services\auSophos\ImagePath C:\Windows\system32\auSophos.exe NT AUTHORITY\SYSTEM 13 2 4 13 0 0x8000000000000000 653 Microsoft-Windows-Sysmon/Operational wks02-vm - SetValue 2022-09-16 11:22:23.157 F6AF476A-5C6E-6324-E605-000000000600 9336 C:\Users\winuser\Desktop\Avaddon.exe\Avaddon.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWORD (0x00000000) wks02-vm\winuser 13 2 4 13 0 0x8000000000000000 3693 Microsoft-Windows-Sysmon/Operational SLABS-DC.snapattack.labs - SetValue 2023-03-08 22:53:37.348 97232C30-11EC-6409-4C09-000000000902 2256 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe HKLM\System\CurrentControlSet\Services\wuauserv\Start DWORD (0x00000004) NT AUTHORITY\SYSTEM 13 2 4 13 0 0x8000000000000000 80363 Microsoft-Windows-Sysmon/Operational WIN11-22H2 - SetValue 2024-08-19 19:40:20.682 AC4C5E18-9FA2-66C3-7909-000000000E00 11380 C:\Users\localuser\Downloads\WindowsDowndate-main\windows_downdate.exe HKLM\COMPONENTS\PendingXmlIdentifier Binary Data WIN11-22H2\localuser 13 2 4 13 0 0x8000000000000000 30215 Microsoft-Windows-Sysmon/Operational EC2AMAZ-1CL0VOR - SetValue 2022-08-01 17:05:28.312 09661227-07D8-62E8-380B-00000000BF01 11732 C:\Windows\system32\reg.exe HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger C:\windows\system32\calc.exe EC2AMAZ-1CL0VOR\user 13 2 4 13 0 0x8000000000000000 357 Microsoft-Windows-Sysmon/Operational EC2AMAZ-34S98QL - SetValue 2023-10-20 14:59:49.587 D4BC5266-95E5-6532-360C-000000006C02 984 C:\Windows\system32\reg.exe HKU\S-1-5-21-4224902346-1214373562-3362504726-1009\Software\Microsoft\Windows\CurrentVersion\Run\Exela Update Service C:\Users\user\AppData\Local\ExelaUpdateService\Exela.exe EC2AMAZ-34S98QL\user 13 2 4 13 0 0x8000000000000000 1740 Microsoft-Windows-Sysmon/Operational SLABS-DC.snapattack.labs - SetValue 2023-03-09 01:00:31.898 97232C30-2FA1-6409-FD05-000000000902 2008 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe HKLM\System\CurrentControlSet\Services\Rortal\ErrorControl DWORD (0x00000001) NT AUTHORITY\SYSTEM 13 2 4 13 0 0x8000000000000000 24659 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10.snapattack.labs - SetValue 2022-09-09 18:00:13.306 43199D79-7F2B-631B-BF0C-000000001000 7068 c:\Users\snapattack\Desktop\zeppelin\24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7.exe HKU\S-1-5-21-421648065-3458498710-3574272164-1103\Software\Zeppelin\Process npPS1sHFQ6r4qDzJVvx/ye8hd7sKvl5F/X2KYTApyYnMKXGVOeaq+POnVA== SNAPATTACK\snapattack 13 2 4 13 0 0x8000000000000000 24347 Microsoft-Windows-Sysmon/Operational SLABS-DC.snapattack.labs - SetValue 2024-07-24 01:28:44.204 9B7459AC-58CB-66A0-2C13-00000000A202 7884 C:\Windows\system32\reg.exe HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam\Driver AtomicTest.dll SNAPATTACK\user 1 5 4 1 0 0x8000000000000000 1588086 Microsoft-Windows-Sysmon/Operational WIN10-21H1.snapattack.labs - 2024-10-25 17:34:44.951 F51F9151-D6B4-671B-5506-000000001600 3020 C:\Windows\System32\svchost.exe 10.0.19041.546 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE F51F9151-D420-671B-E503-000000000000 0x3e5 0 System MD5=F586835082F632DC8D9404D83BC16316,SHA256=643EC58E82E0272C97C2A59F6020970D881AF19C0AD5029DB9C958C13B6558C7,IMPHASH=F9BBD96FAE53B7A31264A703CAFA0666 F51F9151-D420-671B-0B00-000000001600 708 C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\SYSTEM 13 2 4 13 0 0x8000000000000000 2165 Microsoft-Windows-Sysmon/Operational SLABS-DC.snapattack.labs - SetValue 2023-03-08 23:37:00.371 97232C30-1C0E-6409-F705-000000000902 7136 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe HKLM\SOFTWARE\BlackLivesMatter\Ed7 Binary Data NT AUTHORITY\SYSTEM 13 2 4 13 0 0x8000000000000000 1585328 Microsoft-Windows-Sysmon/Operational WIN10-21H1.snapattack.labs - SetValue 2024-07-31 19:02:54.664 F51F9151-8A38-66AA-0122-000000000A00 10764 C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE HKU\S-1-5-21-1538153195-943065003-848949206-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Webview\Inbox\URL http://10.3.99.1/css/uennGj2qfCrVGQ WIN10-21H1\localuser 13 2 4 13 0 0x8000000000000000 4124 Microsoft-Windows-Sysmon/Operational EC2AMAZ-EHFFLMC - SetValue 2022-04-14 13:23:27.066 1DE3D0C1-2047-6258-7D05-00000000B001 6052 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe HKU\S-1-5-21-1989762450-1624815708-3807724252-1009_Classes\ms-settings\shell\open\command\(Default) C:\Windows\System32\cmd.exe EC2AMAZ-EHFFLMC\user 12 2 4 12 0 0x8000000000000000 24046 Microsoft-Windows-Sysmon/Operational dc03-vm.lab3.localdomain - CreateKey 2022-09-02 19:25:11.993 CFDD709A-588C-6312-911A-000000000A00 10700 \\dc03-vm.lab3.localdomain\SYSVOL\lab3.localdomain\scripts\Conti.exe HKU\S-1-5-21-2473259342-3556567973-1978402759-500\SOFTWARE\Microsoft\RestartManager\Session0000 LAB3\labadmin3 13 2 4 13 0 0x8000000000000000 45624 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10.snapattack.labs - SetValue 2023-04-26 15:25:24.917 43199D79-C787-637B-0B00-000000001100 636 C:\Windows\system32\services.exe HKLM\System\CurrentControlSet\Services\auSophos\ImagePath C:\Windows\system32\auSophos.exe NT AUTHORITY\SYSTEM 13 2 4 13 0 0x8000000000000000 80363 Microsoft-Windows-Sysmon/Operational WIN11-22H2 - SetValue 2024-08-19 19:40:20.682 AC4C5E18-9FA2-66C3-7909-000000000E00 11380 C:\Users\localuser\Downloads\WindowsDowndate-main\windows_downdate.exe HKLM\COMPONENTS\PendingXmlIdentifier Binary Data WIN11-22H2\localuser 13 2 4 13 0 0x8000000000000000 24659 Microsoft-Windows-Sysmon/Operational MSEDGEWIN10.snapattack.labs - SetValue 2022-09-09 18:00:13.306 43199D79-7F2B-631B-BF0C-000000001000 7068 c:\Users\snapattack\Desktop\zeppelin\24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7.exe HKU\S-1-5-21-421648065-3458498710-3574272164-1103\Software\Zeppelin\Process npPS1sHFQ6r4qDzJVvx/ye8hd7sKvl5F/X2KYTApyYnMKXGVOeaq+POnVA== SNAPATTACK\snapattack 1 5 4 1 0 0x8000000000000000 1588086 Microsoft-Windows-Sysmon/Operational WIN10-21H1.snapattack.labs - 2024-10-25 17:34:44.951 F51F9151-D6B4-671B-5506-000000001600 3020 C:\Windows\System32\svchost.exe 10.0.19041.546 (WinBuild.160101.0800) Host Process for Windows Services Microsoft® Windows® Operating System Microsoft Corporation svchost.exe C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry C:\Windows\system32\ NT AUTHORITY\LOCAL SERVICE F51F9151-D420-671B-E503-000000000000 0x3e5 0 System MD5=F586835082F632DC8D9404D83BC16316,SHA256=643EC58E82E0272C97C2A59F6020970D881AF19C0AD5029DB9C958C13B6558C7,IMPHASH=F9BBD96FAE53B7A31264A703CAFA0666 F51F9151-D420-671B-0B00-000000001600 708 C:\Windows\System32\services.exe C:\Windows\system32\services.exe NT AUTHORITY\SYSTEM