534500x800000000000000040892886Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-31 20:39:14.170{C2494F38-C6F2-630F-0E72-000000006A02}1696C:\Windows\hh.exeWIN-HOST-MHAAG-\Administrator 10341000x800000000000000040892885Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-31 20:39:14.061{C2494F38-B7C2-630C-F900-000000006A02}42124216C:\Windows\system32\csrss.exe{C2494F38-C6E8-630F-1270-000000006A02}1696C:\Windows\hh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000040892884Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-31 20:39:14.061{C2494F38-C6F2-630F-0C72-000000006A02}51722472C:\Windows\SYSTEM32\cmd.exe{C2494F38-C6E8-630F-1270-000000006A02}1696C:\Windows\hh.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000040892883Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-31 20:39:14.071{C2494F38-C6F2-630F-0E72-000000006A02}1696C:\Windows\hh.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft® HTML Help ExecutableHTML HelpMicrosoft CorporationHH.exehh.exe -decompile C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm C:\AtomicRedTeam\atomics\T1218.001\srcC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-B7C3-630C-0C7A-0E0000000000}0xe7a0c2HighMD5=52AFE6DE5E463B7A08C184B1EB49DD6A,SHA256=9823D79E936B57C94BFB84383CC708BFC15D1D16E67F6CB119B60F28B01BFA63,IMPHASH=4EDF49AE6BCC4F8FED829FAFD5D4D269{C2494F38-C6F2-630F-0C72-000000006A02}5172C:\Windows\System32\cmd.exe"cmd.exe" /c "hh.exe -decompile C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm C:\AtomicRedTeam\atomics\T1218.001\src"WIN-HOST-MHAAG-\Administrator 154100x800000000000000040892880Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-31 20:39:14.052{C2494F38-C6F2-630F-0D72-000000006A02}6108C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-B7C3-630C-0C7A-0E0000000000}0xe7a0c2HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733{C2494F38-C6F2-630F-0C72-000000006A02}5172C:\Windows\System32\cmd.exe"cmd.exe" /c "hh.exe -decompile C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm C:\AtomicRedTeam\atomics\T1218.001\src"WIN-HOST-MHAAG-\Administrator 154100x800000000000000040892877Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-31 20:39:14.044{C2494F38-C6F2-630F-0C72-000000006A02}5172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "hh.exe -decompile C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm C:\AtomicRedTeam\atomics\T1218.001\src"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-B7C3-630C-0C7A-0E0000000000}0xe7a0c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C2494F38-99DE-630F-BE5F-000000006A02}1984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator