10341000x8000000000000000883273Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.406{35E77E9D-660C-620E-CA7B-000000003602}33205684C:\Windows\system32\diskshadow.exe{35E77E9D-660C-620E-CB7B-000000003602}5232c:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\diskshadow.exe+39f8a|C:\Windows\system32\diskshadow.exe+3bf14|C:\Windows\system32\diskshadow.exe+3a5e4|C:\Windows\system32\diskshadow.exe+4044e|C:\Windows\system32\diskshadow.exe+3f516|C:\Windows\system32\diskshadow.exe+3e6f2|C:\Windows\system32\diskshadow.exe+45b2d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000883272Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.407{35E77E9D-660C-620E-CB7B-000000003602}5232C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEc:\windows\system32\calc.exeC:\Users\Administrator\ATTACKRANGE\Administrator{35E77E9D-A7D2-620A-F9D5-5D0000000000}0x5dd5f92HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{35E77E9D-660C-620E-CA7B-000000003602}3320C:\Windows\System32\diskshadow.exe"C:\Windows\system32\diskshadow.exe" -S C:\AtomicRedTeam\atomics\T1218\src\T1218.txt 23542300x8000000000000000883271Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.391{35E77E9D-660C-620E-CA7B-000000003602}3320ATTACKRANGE\AdministratorC:\Windows\system32\diskshadow.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Dis6668.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000883270Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.391{35E77E9D-7BBA-620A-0C00-000000003602}820620C:\Windows\system32\svchost.exe{35E77E9D-660C-620E-CA7B-000000003602}3320C:\Windows\system32\diskshadow.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000883269Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.328{35E77E9D-C9DD-620B-4F2D-000000003602}22045016C:\Windows\system32\conhost.exe{35E77E9D-660C-620E-CA7B-000000003602}3320C:\Windows\system32\diskshadow.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000883265Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.328{35E77E9D-A7D0-620A-C40A-000000003602}47521944C:\Windows\system32\csrss.exe{35E77E9D-660C-620E-CA7B-000000003602}3320C:\Windows\system32\diskshadow.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000883263Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.328{35E77E9D-C9DD-620B-4E2D-000000003602}68046340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{35E77E9D-660C-620E-CA7B-000000003602}3320C:\Windows\system32\diskshadow.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30e80099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+303034f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3030312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30dcb45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+302c009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30323b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30305b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30305b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+303059b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+302f66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30303c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30303785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+303034f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3030312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+30dcb45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+302e83d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+302e794a(wow64) 154100x8000000000000000883262Microsoft-Windows-Sysmon/Operationalwin-dc-lstella-92811-948.attackrange.local-2022-02-17 15:13:16.323{35E77E9D-660C-620E-CA7B-000000003602}3320C:\Windows\System32\diskshadow.exe10.0.14393.0 (rs1_release.160715-1616)DiskShadowMicrosoft® Windows® Operating SystemMicrosoft Corporationdiskshadow.exe"C:\Windows\system32\diskshadow.exe" -S C:\AtomicRedTeam\atomics\T1218\src\T1218.txtC:\Users\Administrator\ATTACKRANGE\Administrator{35E77E9D-A7D2-620A-F9D5-5D0000000000}0x5dd5f92HighMD5=5A6926E132B7A3F3319E825A88BCAD61,SHA256=8D556F8CA5588872AB80EE7DCF93B0EEE4CD2596A454CC7ADE4EA7CED3F8D7D8,IMPHASH=D547CF1856E86A75E9810C95886CC567{35E77E9D-C9DD-620B-4E2D-000000003602}6804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"