4688 2 0 13312 0 0x8020000000000000 9817297 Security arrakis.snapattack.labs S-1-5-21-421648065-3458498710-3574272164-1103 SnapAttack SNAPATTACK 0x11165e 0xb50 C:\Windows\7.exe %%1937 0x30e8 C:\Windows\7.exe x C:\Windows\.7z -p1234 -o"C:\Windows" S-1-0-0 - - 0x0 C:\Windows\System32\cmd.exe S-1-16-12288 1 5 4 1 0 0x8000000000000000 61189 Microsoft-Windows-Sysmon/Operational WIN11-22H2-X64.snapattack.labs - 2025-09-16 10:59:26.768 AC4C5E18-430E-68C9-AA0C-000000001A00 6752 C:\Windows\System32\mountvol.exe 10.0.22621.1 (WinBuild.160101.0800) Mount Volume Utility Microsoft® Windows® Operating System Microsoft Corporation MOUNTVOL.EXE "C:\Windows\system32\mountvol.exe" s: /S C:\Users\localuser\ WIN11-22H2-X64\localuser AC4C5E18-38C5-68C9-9F81-020000000000 0x2819f 1 High MD5=0CEF64BA40803B3E3EC629714A1C64F8,SHA256=1F649F2B822A87B6C54524E20975946DF0F8081CA1325CF781A9E50C66801F6B,IMPHASH=72D2CD1301A2466A3D1834DC3B95BE3F AC4C5E18-391A-68C9-0501-000000001A00 9004 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WIN11-22H2-X64\localuser 1 5 4 1 0 0x8000000000000000 66694 Microsoft-Windows-Sysmon/Operational quadra.snapattack.labs - 2024-03-21 19:36:31.294 BD1BA16A-8C3F-65FC-6F0B-000000001200 7284 C:\Users\patreides\NorthstarStager.exe 1.0.0.0 System Health Check System Health Check - NorthstarStager.exe "C:\users\patreides\NorthstarStager.exe" C:\users\patreides\ SNAPATTACK\snapattack BD1BA16A-58F3-6580-82A5-080000000000 0x8a582 1 High MD5=FB33F5DF25747FC0E31D6F09FD38C564,SHA256=0A2882CD53C8047647D6CD153D034BA194C5838EA90D45F096A91D4394FD1201,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 00000000-0000-0000-0000-000000000000 9984 - - - 1 5 4 1 0 0x8000000000000000 9087 Microsoft-Windows-Sysmon/Operational EC2AMAZ-J5R8T5M - 2024-04-03 19:18:20.875 AF7BBE47-AB7C-660D-870F-00000000C702 7288 C:\Windows\System32\cmd.exe 10.0.17763.1697 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\System32\cmd.exe" /c start /B .t\scholar.exe & .t\invitation.pdf D:\ EC2AMAZ-J5R8T5M\user AF7BBE47-A7F7-660D-B4A5-030000000000 0x3a5b4 2 Medium MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18 AF7BBE47-A7F9-660D-7A00-00000000C702 5276 C:\Windows\explorer.exe C:\Windows\Explorer.EXE EC2AMAZ-J5R8T5M\user 1 5 4 1 0 0x8000000000000000 5102 Microsoft-Windows-Sysmon/Operational WinDev2204Eval - 2022-05-25 15:46:47.343 0BD59C11-4F67-628E-C50C-000000000F00 15012 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 16.0.15128.20248 Microsoft Word Microsoft Office Microsoft Corporation WinWord.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\User\AppData\Local\Temp\acrobat_sbx\A91ydxxk_1avanac_ap4.tmp\has been verified. However PDF, Jpeg, xlsx, .docx" /o "" C:\Windows\system32\ WINDEV2204EVAL\User 0BD59C11-44F7-628E-45D4-040000000000 0x4d445 1 Medium MD5=3C4D28CDE5B09F9812A43EC20C8CA5D8,SHA256=47A77650B282A7F6C1F77CDBAE5707B1AFE15EBBB937BB9DB3C6A03C984EB8F8,IMPHASH=9A357A51628D5895F00FCACE844D63DF 0BD59C11-4F5F-628E-BD0C-000000000F00 12180 C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\User\Downloads\05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341d\05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341d.pdf" WINDEV2204EVAL\User 1 5 4 1 0 0x8000000000000000 22719 Microsoft-Windows-Sysmon/Operational EC2AMAZ-7DETGRN - 2024-11-06 17:45:33.115 BD875050-AB3D-672B-0F09-00000000C702 7956 C:\Users\user\datax\data\FontDiag.exe May 31 2023, 15:42:58 QEMU machine emulators and tools QEMU https://www.qemu.org - \Users\user\datax\data\fontdiag.exe -drive file=\Users\user\datax\data\tc.img -nographic C:\Users\user\Downloads\OneAmerica Survey\ EC2AMAZ-7DETGRN\user BD875050-AA2A-672B-C71A-B50000000000 0xb51ac7 2 Medium MD5=D92F0B7F9EE415600B4828BC4F6D78EA,SHA256=287213A9E91D2FA7DEEF3B4BA31D170EBD652170313314E706D173F4BEF2C300,IMPHASH=4AA8F65FB9B66F1A387C571EE8F6E767 BD875050-AB3C-672B-0B09-00000000C702 7704 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\datax\data\start.bat EC2AMAZ-7DETGRN\user 4688 2 0 13312 0 0x8020000000000000 172827 Security EC2AMAZ-7DETGRN S-1-5-21-2096087594-1903196135-431590293-1009 user EC2AMAZ-7DETGRN 0xa858d1 0x388 C:\Windows\System32\rundll32.exe %%1938 0xcb0 "Rundll32.exe" "C:\Program Files\Common Files\System\OLE DB\oledb32.dll",OpenDSLFile C:\Users\user\Desktop\Important - Copy.udl S-1-0-0 - - 0x0 C:\Windows\explorer.exe S-1-16-8192 11 2 4 11 0 0x8000000000000000 1236 Microsoft-Windows-Sysmon/Operational EC2AMAZ-7DETGRN - 2024-08-21 15:35:12.499 BD875050-07D8-66C6-1004-00000000C702 3248 C:\Windows\Explorer.EXE C:\Users\user\Desktop\Important - Copy.udl 2024-08-21 15:35:12.499 EC2AMAZ-7DETGRN\user 1 5 4 1 0 0x8000000000000000 9087 Microsoft-Windows-Sysmon/Operational EC2AMAZ-J5R8T5M - 2024-04-03 19:18:20.875 AF7BBE47-AB7C-660D-870F-00000000C702 7288 C:\Windows\System32\cmd.exe 10.0.17763.1697 (WinBuild.160101.0800) Windows Command Processor Microsoft® Windows® Operating System Microsoft Corporation Cmd.Exe "C:\Windows\System32\cmd.exe" /c start /B .t\scholar.exe & .t\invitation.pdf D:\ EC2AMAZ-J5R8T5M\user AF7BBE47-A7F7-660D-B4A5-030000000000 0x3a5b4 2 Medium MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18 AF7BBE47-A7F9-660D-7A00-00000000C702 5276 C:\Windows\explorer.exe C:\Windows\Explorer.EXE EC2AMAZ-J5R8T5M\user 1 5 4 1 0 0x8000000000000000 5102 Microsoft-Windows-Sysmon/Operational WinDev2204Eval - 2022-05-25 15:46:47.343 0BD59C11-4F67-628E-C50C-000000000F00 15012 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 16.0.15128.20248 Microsoft Word Microsoft Office Microsoft Corporation WinWord.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\User\AppData\Local\Temp\acrobat_sbx\A91ydxxk_1avanac_ap4.tmp\has been verified. However PDF, Jpeg, xlsx, .docx" /o "" C:\Windows\system32\ WINDEV2204EVAL\User 0BD59C11-44F7-628E-45D4-040000000000 0x4d445 1 Medium MD5=3C4D28CDE5B09F9812A43EC20C8CA5D8,SHA256=47A77650B282A7F6C1F77CDBAE5707B1AFE15EBBB937BB9DB3C6A03C984EB8F8,IMPHASH=9A357A51628D5895F00FCACE844D63DF 0BD59C11-4F5F-628E-BD0C-000000000F00 12180 C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\User\Downloads\05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341d\05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341d.pdf" WINDEV2204EVAL\User 1 5 4 1 0 0x8000000000000000 22719 Microsoft-Windows-Sysmon/Operational EC2AMAZ-7DETGRN - 2024-11-06 17:45:33.115 BD875050-AB3D-672B-0F09-00000000C702 7956 C:\Users\user\datax\data\FontDiag.exe May 31 2023, 15:42:58 QEMU machine emulators and tools QEMU https://www.qemu.org - \Users\user\datax\data\fontdiag.exe -drive file=\Users\user\datax\data\tc.img -nographic C:\Users\user\Downloads\OneAmerica Survey\ EC2AMAZ-7DETGRN\user BD875050-AA2A-672B-C71A-B50000000000 0xb51ac7 2 Medium MD5=D92F0B7F9EE415600B4828BC4F6D78EA,SHA256=287213A9E91D2FA7DEEF3B4BA31D170EBD652170313314E706D173F4BEF2C300,IMPHASH=4AA8F65FB9B66F1A387C571EE8F6E767 BD875050-AB3C-672B-0B09-00000000C702 7704 C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\datax\data\start.bat EC2AMAZ-7DETGRN\user