13241300x800000000000000011945196Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 20:53:39.131{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x800000000000000011283125Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 16:21:10.301{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000011283097Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 16:21:10.145{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x800000000000000011283095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 16:21:10.145{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000011283094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-16 16:21:10.145{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000011282783Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 16:21:09.114{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000011282762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 16:21:09.067{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000011282761Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-16 16:21:09.067{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000011282760Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 16:21:09.067{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000011282759Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-16 16:21:09.067{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000009153720Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 01:43:21.711{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000009153719Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-16 01:43:21.711{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000009153718Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-16 01:43:21.695{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000009153717Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-16 01:43:21.695{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000008448254Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 20:53:05.185{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000007737698Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:59:46.609{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000007719915Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:52:32.008{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000007719889Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:52:31.852{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000007719887Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:52:31.852{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007719886Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 15:52:31.852{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000007719635Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:52:31.446{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000007719616Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:52:31.399{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007719615Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 15:52:31.399{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000007719614Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 15:52:31.399{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007719613Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 15:52:31.399{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 12241200x80000000000000007580430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-15 14:55:21.728{D66DFBF7-8759-6259-294C-000000004402}4716C:\Windows\SYSTEM32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag\SDNT AUTHORITY\SYSTEM 154100x80000000000000007580370Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:55:21.701{D66DFBF7-8759-6259-2A4C-000000004402}4784C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-8759-6259-294C-000000004402}4716C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007580362Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:55:21.693{D66DFBF7-8759-6259-294C-000000004402}4716C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007578159Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:54:37.867{D66DFBF7-872D-6259-214C-000000004402}4968C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-872D-6259-204C-000000004402}2900C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007578149Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:54:37.861{D66DFBF7-872D-6259-204C-000000004402}2900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007576571Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:53:58.740{D66DFBF7-8706-6259-1F4C-000000004402}792C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-8706-6259-1E4C-000000004402}3900C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007576560Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:53:58.719{D66DFBF7-8706-6259-1E4C-000000004402}3900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007573969Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:53:02.786{D66DFBF7-86CE-6259-164C-000000004402}3844C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-86CE-6259-154C-000000004402}4608C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007573959Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:53:02.780{D66DFBF7-86CE-6259-154C-000000004402}4608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007572911Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:52:42.522{D66DFBF7-86BA-6259-134C-000000004402}5072C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-86BA-6259-124C-000000004402}3904C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007572901Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:52:42.517{D66DFBF7-86BA-6259-124C-000000004402}3904C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007569004Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:51:18.183{D66DFBF7-8666-6259-044C-000000004402}3784C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-8666-6259-034C-000000004402}4408C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007568994Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:51:18.168{D66DFBF7-8666-6259-034C-000000004402}4408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007568466Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:51:04.809{D66DFBF7-8658-6259-024C-000000004402}3040C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag" /v SDC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-0A91-6257-6044-0A0000000000}0xa44602HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 13241300x80000000000000007567275Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:50:39.813{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000007567274Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:50:39.813{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag\Id{AE644E24-B7AF-4DD0-8F23-8D273346E85E}NT AUTHORITY\SYSTEM 13241300x80000000000000007567273Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:50:39.813{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haag\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007567272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 14:50:39.813{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\haagNT AUTHORITY\SYSTEM 12241200x80000000000000007565268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:50:05.323{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005WIN-HOST-MHAAG-\Administrator 12241200x80000000000000007565120Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:50:01.053{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskWIN-HOST-MHAAG-\Administrator 12241200x80000000000000007564988Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:49:57.241{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartupWIN-HOST-MHAAG-\Administrator 12241200x80000000000000007564877Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:49:53.881{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogonWIN-HOST-MHAAG-\Administrator 12241200x80000000000000007564730Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:49:50.428{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMIWIN-HOST-MHAAG-\Administrator 12241200x80000000000000007562113Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:49:32.679{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 154100x80000000000000007554722Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:46:39.883{D66DFBF7-854F-6259-C64B-000000004402}3300C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-854F-6259-C54B-000000004402}4956C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Spawn" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007554712Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:46:39.873{D66DFBF7-854F-6259-C54B-000000004402}4956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Spawn" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 13241300x80000000000000007552864Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:46:20.765{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000007552863Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:46:20.765{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\Id{76CF48FD-B829-46D4-8B37-188CB2F4A2A0}NT AUTHORITY\SYSTEM 13241300x80000000000000007552862Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:46:20.765{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007552861Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 14:46:20.765{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 13241300x80000000000000007552154Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:46:20.093{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000007552153Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:46:20.093{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\Id{6414F72A-8257-40A4-91E6-E2F8E0D632D0}NT AUTHORITY\SYSTEM 13241300x80000000000000007552152Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:46:20.093{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007552151Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 14:46:20.093{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 12241200x80000000000000007551672Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:46:13.703{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskWIN-HOST-MHAAG-\Administrator 154100x80000000000000007551135Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:46:04.356{D66DFBF7-852C-6259-AC4B-000000004402}4716C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-852C-6259-AB4B-000000004402}3296C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007551124Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:46:04.349{D66DFBF7-852C-6259-AB4B-000000004402}3296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 12241200x80000000000000007550615Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:45:51.233{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnWIN-HOST-MHAAG-\Administrator 154100x80000000000000007549270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:45:33.955{D66DFBF7-850D-6259-A24B-000000004402}3040C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Spawn" /v SDC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-0A91-6257-6044-0A0000000000}0xa44602HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007546378Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:45:11.399{D66DFBF7-84F7-6259-8B4B-000000004402}4708C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SDC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-0A91-6257-6044-0A0000000000}0xa44602HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007545926Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:45:05.667{D66DFBF7-84F1-6259-8A4B-000000004402}3236C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-84F1-6259-894B-000000004402}4512C:\Windows\System32\cmd.execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000007545917Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:45:05.649{D66DFBF7-84F1-6259-894B-000000004402}4512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007544705Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-15 14:44:50.686{D66DFBF7-84E2-6259-7E4B-000000004402}3484C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SDC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-0A91-6257-6044-0A0000000000}0xa44602HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-8397-6259-494B-000000004402}4620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 13241300x80000000000000007544570Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:44:46.676{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x80000000000000007544569Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:44:46.676{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\Id{BEABDDD3-50F5-4871-8785-67356720310F}NT AUTHORITY\SYSTEM 13241300x80000000000000007544568Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 14:44:46.676{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000007544567Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 14:44:46.676{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 12241200x80000000000000007522353Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-15 14:38:55.383{D66DFBF7-8375-6259-464B-000000004402}3888C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskWIN-HOST-MHAAG-\Administrator 154100x8000000000000000812492Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:35:45.150{29D0ABBC-82C1-6259-DB70-000000004102}4212C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SDC:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000812415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:35:26.273{29D0ABBC-82AE-6259-D670-000000004102}4288C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SDC:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000812399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:35:22.323{29D0ABBC-82AA-6259-D570-000000004102}2588C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask"C:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000812074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:34:58.093{29D0ABBC-8292-6259-BC70-000000004102}6900C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask"C:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000812012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:34:43.785{29D0ABBC-8283-6259-B770-000000004102}1220C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask"C:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000811970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:34:37.189{29D0ABBC-827D-6259-B370-000000004102}2340C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SDC:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000811149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:32:22.606{29D0ABBC-81F6-6259-A070-000000004102}1324C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000809077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:22:03.276{29D0ABBC-7F8B-6259-5570-000000004102}5284C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000807279Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:12:52.565{29D0ABBC-7D64-6259-1470-000000004102}5800C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000806921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:12:36.455{29D0ABBC-7D54-6259-0C70-000000004102}5452C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7D54-6259-0A70-000000004102}900C:\Windows\System32\cmd.execmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /f 154100x8000000000000000806881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:12:36.376{29D0ABBC-7D54-6259-0A70-000000004102}900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000806585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:12:21.604{29D0ABBC-7D45-6259-0870-000000004102}5804C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000806294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:12:07.492{29D0ABBC-7D37-6259-0670-000000004102}3392C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\NT AUTHORITY\SYSTEM{29D0ABBC-E8E2-6255-E703-000000000000}0x3e72SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BA1-6259-B16F-000000004102}4144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000804663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:06:39.599{29D0ABBC-7BEF-6259-D16F-000000004102}1140C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7BDE-6259-C56F-000000004102}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x8000000000000000804419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-206.attackrange.local-2022-04-15 14:06:08.725{29D0ABBC-7BD0-6259-C36F-000000004102}5792C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Users\Administrator\ATTACKRANGE\Administrator{29D0ABBC-F50F-6256-FEB7-5F0100000000}0x15fb7fe2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{29D0ABBC-7B8C-6259-AC6F-000000004102}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x80000000000000006356710Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 06:40:20.686{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000006356709Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 06:40:20.686{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000006356708Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-15 06:40:20.686{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000006356707Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-15 06:40:20.686{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000004934318Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 20:53:51.203{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000004207430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 15:53:03.418{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000004207309Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 15:53:03.265{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x80000000000000004207253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 15:53:03.265{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000004207252Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-14 15:53:03.265{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000004207199Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 15:53:03.106{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x80000000000000004207178Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 15:53:03.075{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000004207177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-14 15:53:03.075{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000004207176Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 15:53:03.075{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000004207175Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-14 15:53:03.075{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000002997970Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 07:33:38.659{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002997969Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-14 07:33:38.659{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000002997968Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-14 07:33:38.659{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x80000000000000002997967Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-14 07:33:38.659{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x80000000000000001448079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 20:53:17.116{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 12241200x80000000000000001202165Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-13 19:11:38.035{D66DFBF7-2069-6257-8903-000000004402}4708C:\Windows\System32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\SDNT AUTHORITY\SYSTEM 154100x80000000000000001202008Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 19:11:38.000{D66DFBF7-206A-6257-8A03-000000004402}5076C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-2069-6257-8903-000000004402}4708C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fNT AUTHORITY\SYSTEM 154100x80000000000000001202001Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 19:11:37.991{D66DFBF7-2069-6257-8903-000000004402}4708C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-0AFA-6257-F800-000000004402}964C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 12241200x8000000000000000981024Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-13 17:41:10.636{D66DFBF7-0B36-6257-0001-000000004402}3924C:\Windows\System32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\SDNT AUTHORITY\SYSTEM 154100x8000000000000000980936Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 17:41:10.495{D66DFBF7-0B36-6257-0101-000000004402}4684C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-0B36-6257-0001-000000004402}3924C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000980886Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 17:41:10.471{D66DFBF7-0B36-6257-0001-000000004402}3924C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-0898-6257-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{00000000-0000-0000-0000-000000000000}964--- 13241300x8000000000000000951767Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:33:02.093{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000951683Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:33:01.890{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000951679Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:33:01.875{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000951678Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 17:33:01.875{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000951348Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:33:01.625{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000951196Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:33:01.515{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000951195Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 17:33:01.515{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000951194Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:33:01.515{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000951193Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 17:33:01.515{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000950846Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 17:32:35.912{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 12241200x8000000000000000922078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 17:30:01.279{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\WindowsNT AUTHORITY\SYSTEM 12241200x8000000000000000922071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 17:30:01.279{D66DFBF7-0899-6257-1400-000000004402}1032C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftNT AUTHORITY\SYSTEM 12241200x8000000000000000882996Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-13 17:08:36.360{D66DFBF7-0394-6257-9503-000000004302}5664C:\Windows\System32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\SDNT AUTHORITY\SYSTEM 154100x8000000000000000882960Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 17:08:36.337{D66DFBF7-0394-6257-9603-000000004302}6004C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-0394-6257-9503-000000004302}5664C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000882953Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 17:08:36.332{D66DFBF7-0394-6257-9503-000000004302}5664C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 12241200x8000000000000000853567Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-13 16:49:13.425{D66DFBF7-FF09-6256-0703-000000004302}2376C:\Windows\System32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\SDNT AUTHORITY\SYSTEM 154100x8000000000000000853531Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:49:13.341{D66DFBF7-FF09-6256-0803-000000004302}1312C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-FF09-6256-0703-000000004302}2376C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000853524Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:49:13.334{D66DFBF7-FF09-6256-0703-000000004302}2376C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 12241200x8000000000000000847952Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-13 16:45:30.061{D66DFBF7-FE2A-6256-EB02-000000004302}5468C:\Windows\System32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\SDNT AUTHORITY\SYSTEM 154100x8000000000000000847914Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:45:30.022{D66DFBF7-FE2A-6256-EC02-000000004302}3100C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-FE2A-6256-EB02-000000004302}5468C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000847907Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:45:30.017{D66DFBF7-FE2A-6256-EB02-000000004302}5468C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 154100x8000000000000000847388Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:45:14.523{D66DFBF7-FE1A-6256-E802-000000004302}1000C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-FE1A-6256-E702-000000004302}5428C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000847381Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:45:14.516{D66DFBF7-FE1A-6256-E702-000000004302}5428C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 13241300x8000000000000000846859Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:47.969{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000846858Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:47.969{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\Id{798B33B2-A460-4E42-80E9-E74E87A725A3}NT AUTHORITY\SYSTEM 13241300x8000000000000000846857Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:47.969{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000846856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:44:47.969{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005NT AUTHORITY\SYSTEM 13241300x8000000000000000846741Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:47.812{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000846740Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:47.812{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\Id{D1E132F6-867B-49D2-A440-059BD31628A8}NT AUTHORITY\SYSTEM 13241300x8000000000000000846739Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:47.812{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000846738Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:44:47.812{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMINT AUTHORITY\SYSTEM 13241300x8000000000000000845248Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:46.217{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000845247Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:46.217{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\Id{F2B8E230-4AA1-406F-A034-959DAC92FAE8}NT AUTHORITY\SYSTEM 13241300x8000000000000000845246Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:46.217{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000845245Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:44:46.217{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 13241300x8000000000000000844147Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:44.478{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000844146Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:44.478{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\Id{C19AAE03-4F7D-488F-913F-C27CFA9667BF}NT AUTHORITY\SYSTEM 13241300x8000000000000000844145Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:44.478{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000844144Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:44:44.478{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartupNT AUTHORITY\SYSTEM 13241300x8000000000000000844106Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:44.447{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000844105Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:44.447{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\Id{E66C5A69-0B6B-4250-B33B-964144991AEB}NT AUTHORITY\SYSTEM 13241300x8000000000000000844104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:44:44.447{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000844103Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:44:44.447{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogonNT AUTHORITY\SYSTEM 154100x8000000000000000842391Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:44:13.858{D66DFBF7-FDDD-6256-B902-000000004302}1204C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-FDDD-6256-B802-000000004302}5564C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000842384Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:44:13.844{D66DFBF7-FDDD-6256-B802-000000004302}5564C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 12241200x8000000000000000812199Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteValue2022-04-13 16:24:20.347{D66DFBF7-F934-6256-2702-000000004302}5784C:\Windows\System32\reg.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDNT AUTHORITY\SYSTEM 154100x8000000000000000812163Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:24:20.324{D66DFBF7-F934-6256-2802-000000004302}1980C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-F934-6256-2702-000000004302}5784C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000812156Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:24:20.319{D66DFBF7-F934-6256-2702-000000004302}5784C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 13241300x8000000000000000812034Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:24:14.392{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000812033Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:24:14.392{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\Id{16CFB87F-0FBC-4BD8-B46A-6763859BEE49}NT AUTHORITY\SYSTEM 13241300x8000000000000000812032Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:24:14.392{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000812031Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:24:14.392{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 154100x8000000000000000811737Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:24:08.452{D66DFBF7-F928-6256-2102-000000004302}5500C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-F928-6256-2002-000000004302}5392C:\Windows\System32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000811730Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:24:08.448{D66DFBF7-F928-6256-2002-000000004302}5392C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn" /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 154100x8000000000000000811225Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:23:42.752{D66DFBF7-F90E-6256-1F02-000000004302}2492C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-F90E-6256-1E02-000000004302}2568C:\Windows\System32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn /v SD /fNT AUTHORITY\SYSTEM 154100x8000000000000000811218Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:23:42.748{D66DFBF7-F90E-6256-1E02-000000004302}2568C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn /v SD /fC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 154100x8000000000000000810644Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:23:29.416{D66DFBF7-F901-6256-1802-000000004302}1016C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-F901-6256-1702-000000004302}5788C:\Windows\System32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn /v SDNT AUTHORITY\SYSTEM 154100x8000000000000000810637Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:23:29.412{D66DFBF7-F901-6256-1702-000000004302}5788C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn /v SDC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 12241200x8000000000000000808926Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 16:22:23.042{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 154100x8000000000000000805856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:20:26.005{D66DFBF7-F84A-6256-FA01-000000004302}5364C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D66DFBF7-F849-6256-F901-000000004302}1240C:\Windows\System32\reg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDNT AUTHORITY\SYSTEM 154100x8000000000000000805849Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 16:20:25.999{D66DFBF7-F849-6256-F901-000000004302}1240C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EF52-6256-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-F779-6256-DD01-000000004302}5452C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEM 13241300x8000000000000000804841Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:19:40.053{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000804840Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:19:40.053{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\Id{59FC6DEC-41EE-4DC8-9E3E-3CF79F77606E}NT AUTHORITY\SYSTEM 13241300x8000000000000000804839Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 16:19:40.053{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000804838Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 16:19:40.053{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 13241300x8000000000000000777405Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:45:12.255{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000777345Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:45:12.115{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000777343Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:45:12.115{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000777342Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:45:12.115{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000777193Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:45:11.959{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000777091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:45:11.880{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000777090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:45:11.880{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000777065Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:45:11.865{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000777064Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:45:11.865{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000776377Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:44:44.385{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 12241200x8000000000000000772672Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 15:43:12.115{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005NT AUTHORITY\SYSTEM 12241200x8000000000000000772582Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 15:43:12.021{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMINT AUTHORITY\SYSTEM 12241200x8000000000000000771725Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 15:43:11.115{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 12241200x8000000000000000771066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 15:43:10.177{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 12241200x8000000000000000770982Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 15:43:10.099{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartupNT AUTHORITY\SYSTEM 12241200x8000000000000000770954Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 15:43:10.068{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogonNT AUTHORITY\SYSTEM 13241300x8000000000000000770772Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:55.943{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000770771Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:55.943{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\Id{F97FE84F-3146-4E42-91FD-D75E8ADEA557}NT AUTHORITY\SYSTEM 13241300x8000000000000000770770Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:55.943{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000770769Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:55.943{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005NT AUTHORITY\SYSTEM 13241300x8000000000000000770627Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:55.818{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000770626Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:55.818{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\Id{39FE1095-7AA5-4ADB-AE06-572E0696DF67}NT AUTHORITY\SYSTEM 13241300x8000000000000000770625Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:55.818{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000770624Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:55.818{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMINT AUTHORITY\SYSTEM 13241300x8000000000000000769652Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:54.475{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000769651Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:54.475{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\Id{ED86CD37-D4A3-4467-91A0-9AB255AF852A}NT AUTHORITY\SYSTEM 13241300x8000000000000000769650Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:54.475{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000769649Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:54.475{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 13241300x8000000000000000768824Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.678{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000768823Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.678{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\Id{E7DFCE98-38B0-49B8-88E7-C282A657EE9A}NT AUTHORITY\SYSTEM 13241300x8000000000000000768822Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.678{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000768821Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:53.678{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 13241300x8000000000000000768725Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.568{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000768724Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.568{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\Id{0AB2FE99-A8B7-4BFE-8483-14D8239A6D04}NT AUTHORITY\SYSTEM 13241300x8000000000000000768723Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.568{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000768722Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:53.568{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartupNT AUTHORITY\SYSTEM 13241300x8000000000000000768660Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.537{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000768659Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.537{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\Id{08B8623F-8589-41A2-9E82-9A649ECCF47A}NT AUTHORITY\SYSTEM 13241300x8000000000000000768658Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 15:42:53.537{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000768657Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:53.537{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogonNT AUTHORITY\SYSTEM 12241200x8000000000000000720662Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:11.513{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\WindowsNT AUTHORITY\SYSTEM 12241200x8000000000000000720651Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 15:42:11.513{D66DFBF7-EF53-6256-1500-000000004302}1040C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftNT AUTHORITY\SYSTEM 12241200x8000000000000000690481Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:53:37.309{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005NT AUTHORITY\SYSTEM 12241200x8000000000000000690396Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:53:37.205{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMINT AUTHORITY\SYSTEM 12241200x8000000000000000689538Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:53:36.260{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 12241200x8000000000000000688888Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:53:35.323{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 12241200x8000000000000000688804Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:53:35.195{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartupNT AUTHORITY\SYSTEM 12241200x8000000000000000688776Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:53:35.163{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogonNT AUTHORITY\SYSTEM 13241300x8000000000000000688593Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:29.647{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000688592Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:29.647{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\Id{FDF6531F-BCB0-4DA0-8FA2-0F97AECD336A}NT AUTHORITY\SYSTEM 13241300x8000000000000000688591Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:29.647{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000688590Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:53:29.647{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ATOMIC-T1053.005NT AUTHORITY\SYSTEM 13241300x8000000000000000688474Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:29.494{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000688473Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:29.494{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\Id{31464E53-6BC1-400A-9A95-A28D7A584239}NT AUTHORITY\SYSTEM 13241300x8000000000000000688472Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:29.494{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMI\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000688471Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:53:29.494{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_WMINT AUTHORITY\SYSTEM 13241300x8000000000000000687460Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:28.148{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000687459Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:28.148{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\Id{53B42E1A-1AF8-4D99-9098-A7FAF6E6B659}NT AUTHORITY\SYSTEM 13241300x8000000000000000687458Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:28.148{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTask\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000687457Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:53:28.148{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AtomicTaskNT AUTHORITY\SYSTEM 13241300x8000000000000000686064Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000686063Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\Id{11BE30C2-60D8-40DB-B419-B80E50339948}NT AUTHORITY\SYSTEM 13241300x8000000000000000686062Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000686061Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:53:26.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 13241300x8000000000000000685954Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.570{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x8000000000000000685953Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.570{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\Id{78AE9E08-0A32-4537-B910-DD155BEAC72E}NT AUTHORITY\SYSTEM 13241300x8000000000000000685952Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.570{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartup\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000685951Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:53:26.570{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnStartupNT AUTHORITY\SYSTEM 13241300x8000000000000000685913Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\IndexDWORD (0x00000002)NT AUTHORITY\SYSTEM 13241300x8000000000000000685912Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\Id{1E6BDFBF-D74F-4230-9E38-95A177D3F45D}NT AUTHORITY\SYSTEM 13241300x8000000000000000685911Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:53:26.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogon\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000685910Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:53:26.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T1053_005_OnLogonNT AUTHORITY\SYSTEM 12241200x8000000000000000685427Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-DeleteKey2022-04-13 14:52:59.905{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 13241300x8000000000000000663371Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:19:26.777{D66DFBF7-DBE0-6256-A91D-000000004202}2468C:\Windows\regedit.exeHKU\S-1-5-21-3537785052-1706998185-611518450-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKeyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnWIN-HOST-MHAAG-\Administrator 13241300x8000000000000000662490Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:19:05.211{D66DFBF7-DB6E-6256-971D-000000004202}5964C:\Windows\regedit.exeHKU\S-1-5-21-3537785052-1706998185-611518450-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKeyComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnWIN-HOST-MHAAG-\Administrator 154100x8000000000000000658972Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 14:17:10.358{D66DFBF7-DB66-6256-941D-000000004202}592C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-EB48-6255-1A49-070000000000}0x7491a2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-DB31-6256-881D-000000004202}352C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*"WIN-HOST-MHAAG-\Administrator 154100x8000000000000000658911Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 14:16:51.810{D66DFBF7-DB53-6256-931D-000000004202}3100C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn /FC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-EB48-6255-1A49-070000000000}0x7491a2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-DB31-6256-881D-000000004202}352C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*"WIN-HOST-MHAAG-\Administrator 154100x8000000000000000657739Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 14:16:22.673{D66DFBF7-DB36-6256-8A1D-000000004202}1404C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{D66DFBF7-EB48-6255-1A49-070000000000}0x7491a2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-DB31-6256-881D-000000004202}352C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*"WIN-HOST-MHAAG-\Administrator 154100x8000000000000000656657Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-13 14:16:14.096{D66DFBF7-DB2E-6256-831D-000000004202}2608C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnC:\Users\Administrator\Downloads\Sysmon\WIN-HOST-MHAAG-\Administrator{D66DFBF7-EB48-6255-1A49-070000000000}0x7491a2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D66DFBF7-EB5F-6255-AA00-000000004202}6792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 13241300x8000000000000000656549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:15:43.960{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x8000000000000000656548Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:15:43.960{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\Id{6F214826-4964-44D4-AE8B-8D242738B9E2}NT AUTHORITY\SYSTEM 13241300x8000000000000000656547Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 14:15:43.960{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawn\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000656546Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 14:15:43.960{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\spawnNT AUTHORITY\SYSTEM 13241300x8000000000000000487577Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 09:36:44.509{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000487576Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 09:36:44.509{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x8000000000000000487575Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-13 09:36:44.509{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x8000000000000000487574Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-13 09:36:44.509{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000052986Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:27:44.475{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled Start\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:22:36.653{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-12 21:22:36.653{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:22:36.653{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-12 21:22:36.653{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000043427Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:42.844{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000043370Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:42.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Scan\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM 13241300x800000000000000043351Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:42.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000043350Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-12 21:17:42.692{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000042704Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:42.071{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Resume On Boot\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000042486Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:41.971{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000042485Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-12 21:17:41.971{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000042479Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:41.971{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000042478Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-12 21:17:41.971{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestratorNT AUTHORITY\SYSTEM 13241300x800000000000000015424Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:46.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\npcapwatchdog\IndexDWORD (0x00000001)NT AUTHORITY\SYSTEM 13241300x800000000000000015422Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:46.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\npcapwatchdog\Id{738E1545-0667-4997-92FA-BCE6056274FE}NT AUTHORITY\SYSTEM 13241300x800000000000000015421Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:46.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\npcapwatchdog\SDBinary DataNT AUTHORITY\SYSTEM 12241200x800000000000000015420Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-CreateKey2022-04-12 21:14:46.539{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\npcapwatchdogNT AUTHORITY\SYSTEM 13241300x800000000000000012385Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:41.987{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003)NT AUTHORITY\SYSTEM