4104 1 5 2 15 0x0 120491 Microsoft-Windows-PowerShell/Operational EC2AMAZ-2RSGUKB 1 1 $env:LEVEL_API_KEY = "BSHd7pjku9TeNS3B83kywfso"; Set-ExecutionPolicy RemoteSigned -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -useb https://downloads.level.io/install_windows.ps1 | iex 0c9bb291-f829-412f-80d6-0e7430328139 11 2 4 11 0 0x8000000000000000 10560 Microsoft-Windows-Sysmon/Operational win10-base - 2022-03-17 14:41:32.875 B50C7A1E-4883-6233-D714-000000002600 10696 C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE C:\ProgramData\WindowsDefenderService.ini 2022-03-17 14:41:32.875 WIN10-BASE\user 4688 2 0 13312 0 0x8020000000000000 182178 Security EC2AMAZ-2RSGUKB S-1-5-18 EC2AMAZ-2RSGUKB$ WORKGROUP 0x3e7 0x1b74 C:\Program Files\Pulseway\PCMonitorSrv.exe %%1936 0x264 "C:\Program Files\Pulseway\PCMonitorSrv.exe" S-1-0-0 - - 0x0 C:\Windows\System32\services.exe S-1-16-16384 1 5 4 1 0 0x8000000000000000 163597 Microsoft-Windows-Sysmon/Operational wks01-vm.lab3.localdomain - 2022-09-02 18:57:05.645 A52FDC10-5201-6312-0815-000000002000 4800 C:\Users\domuser.LAB3\Desktop\anydesk.exe 7.0.14 AnyDesk AnyDesk AnyDesk Software GmbH - .\anydesk.exe --get-id C:\Users\domuser.LAB3\Desktop\ LAB3\domuser A52FDC10-4213-6312-CE29-0A0000000000 0xa29ce 2 Medium MD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975,IMPHASH=00000000000000000000000000000000 A52FDC10-5201-6312-0715-000000002000 4548 C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ".\anydesk.exe" --get-id LAB3\domuser 4688 2 0 13312 0 0x8020000000000000 9766208 Security arrakis.snapattack.labs S-1-5-18 ARRAKIS$ SNAPATTACK 0x3e7 0x1988 C:\Windows\SysWOW64\rundll32.exe %%1936 0x34f0 rundll32.exe "C:\Windows\Installer\MSIF03B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_716968 2 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments S-1-0-0 - - 0x0 C:\Windows\SysWOW64\msiexec.exe S-1-16-16384 11 2 4 11 0 0x8000000000000000 54609 Microsoft-Windows-Sysmon/Operational arrakis.snapattack.labs - 2023-01-05 16:30:05.682 D52145E4-FB0D-63B6-A606-000000001400 6536 C:\Windows\SysWOW64\rundll32.exe C:\Windows\Installer\MSIF03B.tmp-\ScreenConnect.InstallerActions.dll 2023-01-05 16:30:05.682 NT AUTHORITY\SYSTEM 4688 2 0 13312 0 0x8020000000000000 9766219 Security arrakis.snapattack.labs S-1-5-18 ARRAKIS$ SNAPATTACK 0x3e7 0x2de8 C:\Program Files (x86)\ScreenConnect Client (44bef4b55edaae28)\ScreenConnect.ClientService.exe %%1936 0x274 "C:\Program Files (x86)\ScreenConnect Client (44bef4b55edaae28)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-awb2d9-relay.screenconnect.com&p=443&s=dcca5cc4-18c4-416e-aa35-7fc9e6e965a6&k=BgIAAACkAABSU0ExAAgAAAEAAQBZRUWnD1%2firZR%2b3GkHRdgWS6Sdga2uNnNx0KZ4lm68vN35qmBvKcKbpBw%2bNH5s1G%2fqhyXj7SkoFz5v6Qo3O3f5HcJQDkexqZfPpcPfEaOrduqKOvhA7gwnhQDz5%2bs%2f%2f%2ff4CgOzmx7bcP1NxJy0qiT5VJvizYw2GrmJoBy4TMLH2H2SoVPtn0TeuUvx7FJF7i2TjGsVCgjwTVYQtkR%2b3OzeMn%2btygm1QjZdPIKRuf%2bUSHZVfPhfKPz%2fHNcaEFUdibnXxoCIN9FxD%2bMAkaxvBvyC7IZy%2fqMsCQQP25nUzfsYb0e281uig8N%2fwdjfRw9TFxMxA0Y9JnOrR9jELjZGMvvL&t=&c=snap&c=lab&c=labs&c=&c=&c=&c=&c=" S-1-0-0 - - 0x0 C:\Windows\System32\services.exe S-1-16-16384 11 2 4 11 0 0x8000000000000000 9637 Microsoft-Windows-Sysmon/Operational win10-base - 2022-03-14 16:52:35.883 B50C7A1E-72BE-622F-DC11-000000002400 8400 C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE C:\ProgramData\Outlook.wsf 2022-03-14 16:52:35.883 WIN10-BASE\user 11 2 4 11 0 0x8000000000000000 11929 Microsoft-Windows-Sysmon/Operational DC01.snapattack.labs - 2024-10-30 16:12:07.497 A5CDDB11-5AD5-6722-4B12-000000000800 8084 C:\Windows\system32\mstsc.exe C:\Users\Public\Start Menu\Programs\Startup\backdoor.exe 2024-10-30 16:12:07.497 snapattack\domainadmin 4104 1 5 2 15 0x0 120491 Microsoft-Windows-PowerShell/Operational EC2AMAZ-2RSGUKB 1 1 $env:LEVEL_API_KEY = "BSHd7pjku9TeNS3B83kywfso"; Set-ExecutionPolicy RemoteSigned -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -useb https://downloads.level.io/install_windows.ps1 | iex 0c9bb291-f829-412f-80d6-0e7430328139 11 2 4 11 0 0x8000000000000000 10560 Microsoft-Windows-Sysmon/Operational win10-base - 2022-03-17 14:41:32.875 B50C7A1E-4883-6233-D714-000000002600 10696 C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE C:\ProgramData\WindowsDefenderService.ini 2022-03-17 14:41:32.875 WIN10-BASE\user 4688 2 0 13312 0 0x8020000000000000 182178 Security EC2AMAZ-2RSGUKB S-1-5-18 EC2AMAZ-2RSGUKB$ WORKGROUP 0x3e7 0x1b74 C:\Program Files\Pulseway\PCMonitorSrv.exe %%1936 0x264 "C:\Program Files\Pulseway\PCMonitorSrv.exe" S-1-0-0 - - 0x0 C:\Windows\System32\services.exe S-1-16-16384 1 5 4 1 0 0x8000000000000000 163597 Microsoft-Windows-Sysmon/Operational wks01-vm.lab3.localdomain - 2022-09-02 18:57:05.645 A52FDC10-5201-6312-0815-000000002000 4800 C:\Users\domuser.LAB3\Desktop\anydesk.exe 7.0.14 AnyDesk AnyDesk AnyDesk Software GmbH - .\anydesk.exe --get-id C:\Users\domuser.LAB3\Desktop\ LAB3\domuser A52FDC10-4213-6312-CE29-0A0000000000 0xa29ce 2 Medium MD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975,IMPHASH=00000000000000000000000000000000 A52FDC10-5201-6312-0715-000000002000 4548 C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ".\anydesk.exe" --get-id LAB3\domuser 11 2 4 11 0 0x8000000000000000 9637 Microsoft-Windows-Sysmon/Operational win10-base - 2022-03-14 16:52:35.883 B50C7A1E-72BE-622F-DC11-000000002400 8400 C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE C:\ProgramData\Outlook.wsf 2022-03-14 16:52:35.883 WIN10-BASE\user