534500x800000000000000012434022Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.229{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012434021Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.229{C2494F38-B62F-62D6-893D-010000006202}7556WIN-HOST-MHAAG-\AdministratorC:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1A36.tmpMD5=641B75B289F5CC9A5D38B0BA58B962D4,SHA256=73403613F6DFB46CAE93CAF1D6417F9A882EA545F390F786DBD82E876549AEBDfalsetrue 734700x800000000000000012434009Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.214{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012434008Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.214{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012434007Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-6EF4-62CC-0B00-000000006202}6407376C:\Windows\system32\lsass.exe{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012434006Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012434005Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012434004Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1A36.tmp2022-07-19 13:48:31.198WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012434003Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556WIN-HOST-MHAAG-\AdministratorC:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1A36.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012434002Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1A36.tmp2022-07-19 13:48:31.198WIN-HOST-MHAAG-\Administrator 734700x800000000000000012434001Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012434000Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433999Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433998Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012433997Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-6EF5-62CC-0C00-000000006202}7366328C:\Windows\system32\svchost.exe{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433996Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012433995Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012433994Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433993Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433992Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433991Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433990Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433989Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433988Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433987Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433986Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433985Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012433984Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-883D-010000006202}9404464C:\Windows\system32\conhost.exe{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433983Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433982Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.198{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433981Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.182{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012433980Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.182{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012433979Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.182{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012433978Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.182{C2494F38-B62F-62D6-873D-010000006202}4156172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B62F-62D6-893D-010000006202}7556C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012433977Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.195{C2494F38-B62F-62D6-893D-010000006202}7556C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\windows\system32\wbem\mofcomp.exe" c:\users\administrator\desktop\test.mofC:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-B62F-62D6-873D-010000006202}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof}WIN-HOST-MHAAG-\Administrator 154100x800000000000000012433697Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.021{C2494F38-B62F-62D6-883D-010000006202}940C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-B62F-62D6-873D-010000006202}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof}WIN-HOST-MHAAG-\Administrator 154100x800000000000000012433690Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:48:31.016{C2494F38-B62F-62D6-873D-010000006202}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012431446Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.219{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012431445Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.219{C2494F38-B58C-62D6-6B3D-010000006202}7132WIN-HOST-MHAAG-\AdministratorC:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9D5F.tmpMD5=641B75B289F5CC9A5D38B0BA58B962D4,SHA256=73403613F6DFB46CAE93CAF1D6417F9A882EA545F390F786DBD82E876549AEBDfalsetrue 734700x800000000000000012431431Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431430Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012431429Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-6EF4-62CC-0B00-000000006202}6407424C:\Windows\system32\lsass.exe{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431428Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431427Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012431426Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9D5F.tmp2022-07-19 13:45:48.172WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012431425Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132WIN-HOST-MHAAG-\AdministratorC:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9D5F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012431424Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.188{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9D5F.tmp2022-07-19 13:45:48.172WIN-HOST-MHAAG-\Administrator 734700x800000000000000012431423Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431422Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431421Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431420Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012431419Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-6EF5-62CC-0C00-000000006202}7366328C:\Windows\system32\svchost.exe{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431418Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012431417Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012431416Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431415Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431414Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431413Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431412Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431411Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431410Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431409Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431408Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431407Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012431406Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6A3D-010000006202}22405592C:\Windows\system32\conhost.exe{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431405Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431404Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431403Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012431402Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.172{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012431401Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.156{C2494F38-6F0F-62CC-7C00-000000006202}19683176C:\Windows\system32\csrss.exe{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012431400Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.156{C2494F38-B58B-62D6-693D-010000006202}81805308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012431399Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.171{C2494F38-B58C-62D6-6B3D-010000006202}7132C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\windows\system32\wbem\mofcomp.exe" c:\users\administrator\desktop\test.mofC:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-B58B-62D6-693D-010000006202}8180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof}WIN-HOST-MHAAG-\Administrator 154100x800000000000000012431123Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:48.004{C2494F38-B58C-62D6-6A3D-010000006202}2240C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-B58B-62D6-693D-010000006202}8180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof}WIN-HOST-MHAAG-\Administrator 154100x800000000000000012431116Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:47.998{C2494F38-B58B-62D6-693D-010000006202}8180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 12241200x800000000000000012430282Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012430281Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430278Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430277Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430276Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430249Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430248Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430247Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430246Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012430245Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56B-62D6-5C3D-010000006202}57127392C:\Windows\system32\conhost.exe{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430243Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430241Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430240Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012430239Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012430238Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-6F0F-62CC-7C00-000000006202}19683520C:\Windows\system32\csrss.exe{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012430237Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.469{C2494F38-B56B-62D6-5B3D-010000006202}18727576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012430236Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:16.470{C2494F38-B56C-62D6-5D3D-010000006202}2940C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\windows\system32\wbem\mofcomp.exe" C:\AtomicRedTeam\atomics\T1546.003\src\T1546.003.mofC:\Users\Administrator\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-B56B-62D6-5B3D-010000006202}1872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe C:\AtomicRedTeam\atomics\T1546.003\src\T1546.003.mof}WIN-HOST-MHAAG-\Administrator 154100x800000000000000012429762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:15.255{C2494F38-B56B-62D6-5C3D-010000006202}5712C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-B56B-62D6-5B3D-010000006202}1872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe C:\AtomicRedTeam\atomics\T1546.003\src\T1546.003.mof}WIN-HOST-MHAAG-\Administrator 154100x800000000000000012429754Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:45:15.245{C2494F38-B56B-62D6-5B3D-010000006202}1872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {c:\windows\system32\wbem\mofcomp.exe C:\AtomicRedTeam\atomics\T1546.003\src\T1546.003.mof}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012428082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.530{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012428081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.530{C2494F38-B4D2-62D6-473D-010000006202}844WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC808.tmpMD5=8F1562854A72C62F7AC093DDCAF00745,SHA256=49E586B40C16FF0CB789841C9FA16172CA7950FE7D2FBF2ED3A092782C2C9BD8falsetrue 734700x800000000000000012428069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.498{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012428067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-6EF4-62CC-0B00-000000006202}640716C:\Windows\system32\lsass.exe{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428065Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012428064Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC808.tmp2022-07-19 13:42:42.483WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012428063Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC808.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012428062Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC808.tmp2022-07-19 13:42:42.483WIN-HOST-MHAAG-\Administrator 734700x800000000000000012428061Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428060Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428059Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428058Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012428057Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-6EF5-62CC-0C00-000000006202}736536C:\Windows\system32\svchost.exe{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428056Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.483{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012428055Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012428054Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428053Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428052Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428051Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428050Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428049Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428048Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428047Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428046Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428045Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012428044Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428043Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428042Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428041Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012428040Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012428039Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-6F0F-62CC-7C00-000000006202}19683520C:\Windows\system32\csrss.exe{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012428038Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.467{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012428037Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:42.471{C2494F38-B4D2-62D6-473D-010000006202}844C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012427191Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.857{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012427190Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.857{C2494F38-B4B1-62D6-3C3D-010000006202}7948WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp4887.tmpMD5=D3A165321AECF7A57B4F2830C7C0E49F,SHA256=47DF2980FDD7A7E4B620D5797DC02244EF66CDB6F2B9BF347819A5297E16A740falsetrue 734700x800000000000000012427189Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.857{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012427188Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp4887.tmp2022-07-19 13:42:09.841WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012427187Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp4887.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012427186Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp4887.tmp2022-07-19 13:42:09.841WIN-HOST-MHAAG-\Administrator 734700x800000000000000012427185Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427184Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427183Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427182Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012427181Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-6EF5-62CC-0C00-000000006202}7368024C:\Windows\system32\svchost.exe{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427180Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012427179Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012427178Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427177Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427176Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427175Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427174Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427173Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427172Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427171Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427170Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427169Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012427168Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.841{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427167Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.825{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427166Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.825{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427165Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.825{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012427164Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.825{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012427163Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.825{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012427162Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.825{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012427161Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:42:09.836{C2494F38-B4B1-62D6-3C3D-010000006202}7948C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012426552Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012426551Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp7F6B.tmpMD5=E67CB12D0A0F78DD868F7DC12C1BF3B2,SHA256=240C3E384CB7AE985B83CC3D44BD2248AA7D5696CBCB2860C8DF3B06EB0A72CEfalsetrue 734700x800000000000000012426550Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012426549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp7F6B.tmp2022-07-19 13:41:18.354WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012426548Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp7F6B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012426547Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp7F6B.tmp2022-07-19 13:41:18.354WIN-HOST-MHAAG-\Administrator 734700x800000000000000012426546Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426545Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426544Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426543Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012426542Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-6EF5-62CC-0C00-000000006202}7368024C:\Windows\system32\svchost.exe{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426541Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012426540Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012426539Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:41:18.354{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426538Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426537Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426536Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426535Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426534Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426533Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426532Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426531Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426530Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012426529Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426528Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426527Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426526Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012426525Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012426524Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-6F0F-62CC-7C00-000000006202}19683520C:\Windows\system32\csrss.exe{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012426523Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.339{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012426522Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:41:18.345{C2494F38-B47E-62D6-343D-010000006202}5132C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012420576Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012420575Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp282E.tmpMD5=FBB466D15E8CDC193F14FC53385B8AA1,SHA256=34F60053951430FF728753FFAA8B40C6E08C1B8932C9D0F7589D6ED5FDF21036falsetrue 734700x800000000000000012420574Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012420573Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp282E.tmp2022-07-19 13:31:06.180WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012420572Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp282E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012420571Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp282E.tmp2022-07-19 13:31:06.180WIN-HOST-MHAAG-\Administrator 734700x800000000000000012420570Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420569Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420568Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420567Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420566Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-6EF5-62CC-0C00-000000006202}7366328C:\Windows\system32\svchost.exe{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420565Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012420564Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012420563Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420562Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420561Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420560Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.180{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420559Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420558Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420557Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420556Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420555Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420554Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420553Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420552Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420551Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420550Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420548Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-6F0F-62CC-7C00-000000006202}19683176C:\Windows\system32\csrss.exe{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420547Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.164{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012420546Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:31:06.171{C2494F38-B21A-62D6-EA3C-010000006202}6568C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012420095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.511{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012420094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.511{C2494F38-B1EA-62D6-E43C-010000006202}4304WIN-HOST-MHAAG-\Administratorc:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp6DE7.tmpMD5=664F6222EDC81978DB299AEB483B5DD7,SHA256=754B7BA2FAEF96259C6927B7597D9366241BAC980DD8B8C7150D27BF3203A04Ffalsetrue 734700x800000000000000012420093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.511{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012420092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.511{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp6DE7.tmp2022-07-19 13:30:18.511WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012420091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.511{C2494F38-B1EA-62D6-E43C-010000006202}4304WIN-HOST-MHAAG-\Administratorc:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp6DE7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012420090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.511{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp6DE7.tmp2022-07-19 13:30:18.511WIN-HOST-MHAAG-\Administrator 734700x800000000000000012420089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420088Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420086Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420085Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-6EF5-62CC-0C00-000000006202}7366328C:\Windows\system32\svchost.exe{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420084Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012420083Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012420082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E33C-010000006202}81604776C:\Windows\system32\conhost.exe{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.496{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.480{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012420068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.480{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.480{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012420066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.480{C2494F38-B1EA-62D6-E23C-010000006202}30645820C:\Windows\SYSTEM32\cmd.exe{C2494F38-B1EA-62D6-E43C-010000006202}4304c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012420065Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.493{C2494F38-B1EA-62D6-E43C-010000006202}4304C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exec:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mofC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-B1EA-62D6-E23C-010000006202}3064C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012420030Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.461{C2494F38-B1EA-62D6-E33C-010000006202}8160C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-B1EA-62D6-E23C-010000006202}3064C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012420023Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:30:18.455{C2494F38-B1EA-62D6-E23C-010000006202}3064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012419405Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.449{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012419404Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012419403Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419402Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419401Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419400Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419399Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419398Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419397Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419396Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419395Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419394Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012419393Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DB3C-010000006202}14247552C:\Windows\system32\conhost.exe{C2494F38-B1D1-62D6-DC3C-010000006202}5192c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419392Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419391Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419390Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012419389Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012419388Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-6F0F-62CC-7C00-000000006202}19683176C:\Windows\system32\csrss.exe{C2494F38-B1D1-62D6-DC3C-010000006202}5192c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012419387Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.433{C2494F38-B1D1-62D6-DA3C-010000006202}16725800C:\Windows\SYSTEM32\cmd.exe{C2494F38-B1D1-62D6-DC3C-010000006202}5192c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012419386Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.435{C2494F38-B1D1-62D6-DC3C-010000006202}5192C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exec:\windows\system32\wbem\mofcomp.exe c:\users\administrator\test.mofC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-B1D1-62D6-DA3C-010000006202}1672C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012419299Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.409{C2494F38-B1D1-62D6-DB3C-010000006202}1424C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-B1D1-62D6-DA3C-010000006202}1672C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012419292Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 13:29:53.401{C2494F38-B1D1-62D6-DA3C-010000006202}1672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\test.mof"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012394096Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.276{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012394095Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.276{C2494F38-A87E-62D6-BB3B-010000006202}6504WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9F4B.tmpMD5=766C78D5819436280919747DE0E85C5F,SHA256=0BAA1FFC7CD34206F3B4E28DD178C9457560C31929164F2FE0B162160F679FA1falsetrue 734700x800000000000000012394094Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.276{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012394093Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9F4B.tmp2022-07-19 12:50:06.261WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012394092Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9F4B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012394091Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp9F4B.tmp2022-07-19 12:50:06.261WIN-HOST-MHAAG-\Administrator 734700x800000000000000012394090Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394089Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394088Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394087Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012394086Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-6EF5-62CC-0C00-000000006202}7366016C:\Windows\system32\svchost.exe{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394085Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012394084Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012394083Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394082Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394081Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394080Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394078Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394077Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394076Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.261{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394075Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394074Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012394073Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394072Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394071Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394070Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012394069Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012394068Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012394067Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.245{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012394066Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:50:06.253{C2494F38-A87E-62D6-BB3B-010000006202}6504C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012393923Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.566{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012393922Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.566{C2494F38-A85D-62D6-B93B-010000006202}8172WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1F7D.tmpMD5=38A40D16B2A2C0B13E45ECAA3959309F,SHA256=48662B3339DDCBC5E6530B8CF144190F9AB0E2CE72EB270E28130DE4BE4CCCCBfalsetrue 734700x800000000000000012393921Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.566{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012393920Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.566{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1F7D.tmp2022-07-19 12:49:33.551WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012393919Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.566{C2494F38-A85D-62D6-B93B-010000006202}8172WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1F7D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012393918Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.566{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp1F7D.tmp2022-07-19 12:49:33.551WIN-HOST-MHAAG-\Administrator 734700x800000000000000012393917Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393916Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393915Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393914Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393913Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-6EF5-62CC-0C00-000000006202}7366016C:\Windows\system32\svchost.exe{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393912Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012393911Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012393910Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393909Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393908Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393907Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393906Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393905Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393904Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393903Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393902Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393901Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393900Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393899Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393898Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393897Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393896Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.551{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393895Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.535{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393894Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.535{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012393893Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:33.548{C2494F38-A85D-62D6-B93B-010000006202}8172C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 734700x800000000000000012393870Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.551{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393843Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 534500x800000000000000012393820Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.551{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012393818Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.551{C2494F38-A859-62D6-B83B-010000006202}1964WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpFCD.tmpMD5=38A40D16B2A2C0B13E45ECAA3959309F,SHA256=48662B3339DDCBC5E6530B8CF144190F9AB0E2CE72EB270E28130DE4BE4CCCCBfalsetrue 11241100x800000000000000012393816Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.551{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpFCD.tmp2022-07-19 12:49:29.535WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012393815Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.551{C2494F38-A859-62D6-B83B-010000006202}1964WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpFCD.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012393814Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpFCD.tmp2022-07-19 12:49:29.535WIN-HOST-MHAAG-\Administrator 734700x800000000000000012393813Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393811Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393809Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393808Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-6EF5-62CC-0C00-000000006202}7366016C:\Windows\system32\svchost.exe{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393807Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393806Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012393805Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012393803Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393780Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393779Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393778Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393777Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393776Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393775Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393774Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393773Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393771Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393770Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393769Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393768Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012393765Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.535{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393764Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.519{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012393763Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.519{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012393762Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:49:29.532{C2494F38-A859-62D6-B83B-010000006202}1964C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012389249Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.168{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012389248Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.168{C2494F38-A71E-62D6-883B-010000006202}5936WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp3FCE.tmpMD5=0A54F199733319E0EB347A07A1F7306E,SHA256=1101B9326E29D6F0B84D91F5F3C9A8AD5164E295C50743F599A447F4928A703Afalsetrue 13241300x800000000000000012389246Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-07-19 12:44:14.152{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM\Autorecover MOFs timestamp133027082541528700WIN-HOST-MHAAG-\Administrator 13241300x800000000000000012389245Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-07-19 12:44:14.152{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM\Autorecover MOFsBinary DataWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012389244Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:44:14.152{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012389243Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.152{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeC:\Windows\System32\wbem\AutoRecover\8229145E85010A4E1093212235C5A54D.mof2022-07-19 12:31:42.333WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012389242Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.152{C2494F38-A71E-62D6-883B-010000006202}5936WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Windows\System32\wbem\AutoRecover\8229145E85010A4E1093212235C5A54D.mofMD5=AD804C60EEEF47AA1DBB013404044372,SHA256=DF0897D1D8A21B640B2D18B8B6A65BF5723844C45D3C8F452F2D8F4B0E62A367falsetrue 734700x800000000000000012389231Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389230Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012389229Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-6EF4-62CC-0B00-000000006202}6401336C:\Windows\system32\lsass.exe{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389228Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389227Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012389226Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp3FCE.tmp2022-07-19 12:44:14.137WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012389225Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp3FCE.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012389224Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmp3FCE.tmp2022-07-19 12:44:14.137WIN-HOST-MHAAG-\Administrator 734700x800000000000000012389223Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389222Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389221Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389220Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012389219Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-6EF5-62CC-0C00-000000006202}7366016C:\Windows\system32\svchost.exe{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389218Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.137{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012389217Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012389216Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389215Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389214Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389213Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389212Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389211Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389210Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389209Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389208Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389207Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012389206Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389205Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389204Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389203Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012389202Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012389201Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-6F0F-62CC-7C00-000000006202}19683176C:\Windows\system32\csrss.exe{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012389200Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.121{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012389199Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:44:14.125{C2494F38-A71E-62D6-883B-010000006202}5936C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012380658Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.880{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012380657Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.880{C2494F38-A602-62D6-603B-010000006202}924WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpED3D.tmpMD5=99EC354C53131996D4965C7F8950B4D5,SHA256=2D8D50D40AE2BDC846BF61F50DC406D1D92BC399CC91ECCA564AFC472E01A3A6falsetrue 734700x800000000000000012380645Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380644Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012380643Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-6EF4-62CC-0B00-000000006202}6401336C:\Windows\system32\lsass.exe{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380642Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380641Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012380640Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpED3D.tmp2022-07-19 12:39:30.849WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012380639Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924WIN-HOST-MHAAG-\AdministratorC:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpED3D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012380638Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpED3D.tmp2022-07-19 12:39:30.849WIN-HOST-MHAAG-\Administrator 734700x800000000000000012380637Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380636Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380635Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380634Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012380633Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.849{C2494F38-6EF5-62CC-0C00-000000006202}7366016C:\Windows\system32\svchost.exe{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380632Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012380631Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012380630Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380629Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380628Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380627Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380626Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380625Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380624Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380623Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380622Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380621Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012380620Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380619Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380618Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380617Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012380616Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012380615Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012380614Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.833{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012380613Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:39:30.836{C2494F38-A602-62D6-603B-010000006202}924C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" .\test.mofC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012378355Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.130{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012378354Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012378353Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378352Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378351Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378350Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378349Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378348Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378347Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378346Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378345Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378344Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012378343Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.114{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378342Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.098{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378341Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.098{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378340Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.098{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378339Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.098{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012378338Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.098{C2494F38-6F0F-62CC-7C00-000000006202}19683520C:\Windows\system32\csrss.exe{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012378337Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.098{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012378336Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:36:07.110{C2494F38-A537-62D6-423B-010000006202}3860C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" -N https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof\root\subscription c:\temp\test.mofC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012378275Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.208{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012378274Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:35:45.145{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012378273Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:35:45.145{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.145{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.145{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.145{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378269Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012378263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012378259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.130{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012378258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.114{C2494F38-6F0F-62CC-7C00-000000006202}19683520C:\Windows\system32\csrss.exe{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012378257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.114{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012378256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:35:45.128{C2494F38-A521-62D6-413B-010000006202}5812C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" -N https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof c:\temp\test.mofC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012377357Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012377356Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012377355Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\Wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377354Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377353Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377352Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377351Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.917{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377350Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377349Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377348Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377347Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377346Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012377345Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-4572-62D0-FD79-000000006202}13841856C:\Windows\system32\conhost.exe{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377344Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377343Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377342Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012377341Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012377340Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012377339Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.901{C2494F38-4572-62D0-FC79-000000006202}51406136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\Wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cffd7931a364802b9133934cad751466\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+15c04d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a000ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a63b61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45b70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a45a01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a36721|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43c63|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a437d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a43542|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a4317d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+150b89b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a28428|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\7e06618588012d9acfe1c11e5f73ae5e\System.Management.Automation.ni.dll+a2799aWIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012377338Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:34:38.909{C2494F38-A4DE-62D6-363B-010000006202}7696C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exe"C:\Windows\System32\Wbem\mofcomp.exe" https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mofC:\Users\Administrator\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012375574Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.349{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012375573Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.349{C2494F38-A42E-62D6-203B-010000006202}8112WIN-HOST-MHAAG-\Administratorc:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC719.tmpMD5=ACECB07A0DBB1945B808AB4DE287D503,SHA256=BD5A87B45C9F6CF4C813E62B4EA000236B823B1348BA8891D6DC7FC7BD775E9Dfalsetrue 13241300x800000000000000012375571Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-07-19 12:31:42.333{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM\Autorecover MOFs timestamp133027075023335179WIN-HOST-MHAAG-\Administrator 13241300x800000000000000012375570Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-SetValue2022-07-19 12:31:42.333{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM\Autorecover MOFsBinary DataWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012375569Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:31:42.333{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012375568Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.333{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeC:\Windows\System32\wbem\AutoRecover\8229145E85010A4E1093212235C5A54D.mof2022-07-19 12:31:42.333WIN-HOST-MHAAG-\Administrator 734700x800000000000000012375558Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375557Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012375556Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-6EF4-62CC-0B00-000000006202}6401336C:\Windows\system32\lsass.exe{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375555Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375554Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012375553Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC719.tmp2022-07-19 12:31:42.317WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012375552Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112WIN-HOST-MHAAG-\Administratorc:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC719.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012375551Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpC719.tmp2022-07-19 12:31:42.317WIN-HOST-MHAAG-\Administrator 734700x800000000000000012375550Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375549Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.317{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375548Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375547Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012375546Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-6EF5-62CC-0C00-000000006202}736360C:\Windows\system32\svchost.exe{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375545Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012375544Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012375543Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375542Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375541Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375540Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375539Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375538Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375537Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375536Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375535Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375534Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012375533Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-1F3B-010000006202}73726400C:\Windows\system32\conhost.exe{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375532Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375531Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375530Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012375529Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012375528Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-6F0F-62CC-7C00-000000006202}19681388C:\Windows\system32\csrss.exe{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012375527Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.302{C2494F38-A42E-62D6-1E3B-010000006202}66644592C:\Windows\SYSTEM32\cmd.exe{C2494F38-A42E-62D6-203B-010000006202}8112c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012375526Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.304{C2494F38-A42E-62D6-203B-010000006202}8112C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exec:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mofC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-A42E-62D6-1E3B-010000006202}6664C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012375491Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.271{C2494F38-A42E-62D6-1F3B-010000006202}7372C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-A42E-62D6-1E3B-010000006202}6664C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012375484Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:31:42.266{C2494F38-A42E-62D6-1E3B-010000006202}6664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012374451Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.978{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 23542300x800000000000000012374450Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.978{C2494F38-A3FD-62D6-123B-010000006202}6336WIN-HOST-MHAAG-\Administratorc:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpA03.tmpMD5=3B30658BFDB9EA8AC9F5C4B1A8870E27,SHA256=8BF2DF45AA8B3F1D2F72E320DC9D60DA9223E110B097437DD9D2A123FFDA8583falsetrue 734700x800000000000000012374439Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.931{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374400Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.931{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374369Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012374357Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-6EF4-62CC-0B00-000000006202}6406088C:\Windows\system32\lsass.exe{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6edfc|C:\Windows\system32\lsasrv.dll+e71d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374355Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 11241100x800000000000000012374353Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpA03.tmp2022-07-19 12:30:53.915WIN-HOST-MHAAG-\Administrator 23542300x800000000000000012374352Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336WIN-HOST-MHAAG-\Administratorc:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpA03.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000012374351Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\tmpA03.tmp2022-07-19 12:30:53.915WIN-HOST-MHAAG-\Administrator 734700x800000000000000012374350Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374349Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374348Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofd.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationmofd.dllMD5=0382CBA557A8FF4DE06261510BE2030F,SHA256=B233C81930205E15241CFD825470B1404FED2FA542FE11F774941894CCB13257trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374347Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.915{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012374346Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-6EF5-62CC-0C00-000000006202}7366016C:\Windows\system32\svchost.exe{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374345Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012374344Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012374343Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374342Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374341Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374340Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374339Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374338Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374337Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.900{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374336Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374335Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374334Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012374333Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-113B-010000006202}8608C:\Windows\system32\conhost.exe{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374332Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374331Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374330Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012374329Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012374328Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-6F0F-62CC-7C00-000000006202}19683520C:\Windows\system32\csrss.exe{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012374327Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.884{C2494F38-A3FD-62D6-103B-010000006202}61767444C:\Windows\SYSTEM32\cmd.exe{C2494F38-A3FD-62D6-123B-010000006202}6336c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012374326Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.891{C2494F38-A3FD-62D6-123B-010000006202}6336C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exec:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mofC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-A3FD-62D6-103B-010000006202}6176C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012374266Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.850{C2494F38-A3FD-62D6-113B-010000006202}860C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{C2494F38-A3FD-62D6-103B-010000006202}6176C:\Windows\System32\cmd.exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"WIN-HOST-MHAAG-\Administrator 154100x800000000000000012374258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:30:53.841{C2494F38-A3FD-62D6-103B-010000006202}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "c:\windows\system32\wbem\mofcomp.exe c:\users\administrator\desktop\test.mof"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-4572-62D0-FC79-000000006202}5140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 534500x800000000000000012370298Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.460{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370297Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012370272Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:26:27.444{C2494F38-A2F3-62D6-EC3A-010000006202}6648c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 12241200x800000000000000012370271Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-CreateKey2022-07-19 12:26:27.444{C2494F38-A2F3-62D6-EC3A-010000006202}6648c:\windows\system32\wbem\mofcomp.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOMWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370270Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370268Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370267Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370265Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370264Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5192 (rs1_release.220610-1622)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=10B8B28AD9FDD41A2EB75DE349C25523,SHA256=56BB0955AF60E4E9FEDF3AC83FB96CCC1D66A8540F3450BAC3F30CD16BF16416trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370263Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370262Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370261Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012370260Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-4248-62D0-4B79-000000006202}37044932C:\Windows\system32\conhost.exe{C2494F38-A2F3-62D6-EC3A-010000006202}6648c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370259Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\KernelBase.dll10.0.14393.5125 (rs1_release.220429-1732)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D8F18C830B03B0D60C10093ECB020E60,SHA256=CF0D33CEC46BB41C6F5693A84491ACD7F7CBECB429BA6C47AB5A170D4DF3484FtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370258Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370257Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 734700x800000000000000012370256Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exeC:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exeMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFAtrueMicrosoft WindowsValidWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012370255Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-6F0F-62CC-7C00-000000006202}19683176C:\Windows\system32\csrss.exe{C2494F38-A2F3-62D6-EC3A-010000006202}6648c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMWIN-HOST-MHAAG-\Administrator 10341000x800000000000000012370254Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.429{C2494F38-4248-62D0-4A79-000000006202}74883528C:\Windows\system32\cmd.exe{C2494F38-A2F3-62D6-EC3A-010000006202}6648c:\windows\system32\wbem\mofcomp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791WIN-HOST-MHAAG-\AdministratorWIN-HOST-MHAAG-\Administrator 154100x800000000000000012370253Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-19 12:26:27.434{C2494F38-A2F3-62D6-EC3A-010000006202}6648C:\Windows\System32\wbem\mofcomp.exe10.0.14393.4169 (rs1_release.210107-1130)The Managed Object Format (MOF) Compiler Microsoft® Windows® Operating SystemMicrosoft Corporationmofcomp.exec:\windows\system32\wbem\mofcomp.exeC:\Users\Administrator\Desktop\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=62E71E4B2AA812B92067E3BBC1225974,SHA256=E480029A0CEFD09E84F474BEF944C4DC56AF44F0AA7063D4E259621846F29BFA{C2494F38-4248-62D0-4A79-000000006202}7488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" WIN-HOST-MHAAG-\Administrator