13241300x80000000000000002006944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 18:49:13.965{92CAAE11-F7A9-6245-D92D-000000004202}3120C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\BlobBinary DataATTACKRANGE\Administrator 13241300x80000000000000002006941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 18:49:13.965{92CAAE11-F7A9-6245-D92D-000000004202}3120C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\BlobBinary DataATTACKRANGE\Administrator 13241300x80000000000000001995325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 18:35:44.487{92CAAE11-F480-6245-782D-000000004202}5528C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F3D38F280635F275BE92B87CF83E40E40458400\BlobBinary DataNT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001970813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 18:06:03.013{92CAAE11-ED8A-6245-AA2C-000000004202}4876C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F3D38F280635F275BE92B87CF83E40E40458400\BlobBinary DataNT AUTHORITY\LOCAL SERVICE 13241300x80000000000000001778763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 14:25:42.697{92CAAE11-8602-6244-1600-000000004202}1276C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000001778754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 14:25:42.697{92CAAE11-8602-6244-1600-000000004202}1276C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000001750225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 14:08:22.989{92CAAE11-8602-6244-1600-000000004202}1276C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000001750215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-31 14:08:22.988{92CAAE11-8602-6244-1600-000000004202}1276C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000874912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:09:20.935{92CAAE11-8610-6244-2700-000000004202}2844C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000874906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:09:20.931{92CAAE11-8610-6244-2700-000000004202}2844C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000874846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:09:19.469{92CAAE11-8602-6244-1400-000000004202}1056C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\BlobBinary DataNT AUTHORITY\NETWORK SERVICE 13241300x8000000000000000870753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:08:28.285{92CAAE11-C6C5-6244-2209-000000004202}5408C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKU\S-1-5-21-2164285820-2310154215-3626920569-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000870182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:08:24.240{92CAAE11-C6C5-6244-2209-000000004202}5408C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKU\S-1-5-21-2164285820-2310154215-3626920569-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AA752FE64C49ABE82913C463529CF10FF2F04EE\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000870036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:08:23.431{92CAAE11-C6C5-6244-2209-000000004202}5408C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKU\S-1-5-21-2164285820-2310154215-3626920569-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\36056A5662DCADECF82CC14C8B80EC5E0BCC59A6\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000870031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 21:08:23.357{92CAAE11-C6C5-6244-2209-000000004202}5408C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKU\S-1-5-21-2164285820-2310154215-3626920569-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000720080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 18:28:52.522{92CAAE11-A164-6244-3704-000000004202}6620C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0022882F61DA349DE9FE5CD1C9EBA96AD7BDF266\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000720077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 18:28:52.522{92CAAE11-A164-6244-3704-000000004202}6620C:\Users\Administrator\Downloads\Sigcheck\sigcheck64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0022882F61DA349DE9FE5CD1C9EBA96AD7BDF266\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000716503Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 18:26:40.511{92CAAE11-8610-6244-2700-000000004202}2844C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0022882F61DA349DE9FE5CD1C9EBA96AD7BDF266\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000716500Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 18:26:40.511{92CAAE11-8610-6244-2700-000000004202}2844C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0022882F61DA349DE9FE5CD1C9EBA96AD7BDF266\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000716497Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 18:26:40.511{92CAAE11-8610-6244-2700-000000004202}2844C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0022882F61DA349DE9FE5CD1C9EBA96AD7BDF266\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000716492Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 18:26:40.511{92CAAE11-A0E0-6244-0904-000000004202}2936C:\Windows\system32\certutil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0022882F61DA349DE9FE5CD1C9EBA96AD7BDF266\BlobBinary DataATTACKRANGE\Administrator 13241300x8000000000000000645105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 17:16:23.089{92CAAE11-8600-6244-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x8000000000000000645102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-SetValue2022-03-30 17:16:23.089{92CAAE11-8600-6244-0B00-000000004202}620C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x800000000000000049821Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:23:45.142{D66DFBF7-EDE1-6255-9C01-000000004202}8076C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F3D38F280635F275BE92B87CF83E40E40458400\BlobBinary DataNT AUTHORITY\LOCAL SERVICE 154100x800000000000000049645Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-12 21:23:45.046{D66DFBF7-EDE1-6255-9C01-000000004202}8076C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{D66DFBF7-EB28-6255-E503-000000000000}0x3e50SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{D66DFBF7-EB28-6255-0C00-000000004202}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchNT AUTHORITY\SYSTEM 13241300x800000000000000042979Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:42.278{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x800000000000000042970Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:17:42.277{D66DFBF7-EB28-6255-1400-000000004202}876C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x800000000000000038704Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:16:10.500{D66DFBF7-EB27-6255-0B00-000000004202}624C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x800000000000000038701Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:16:10.500{D66DFBF7-EB27-6255-0B00-000000004202}624C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x800000000000000038696Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:16:10.115{D66DFBF7-EB28-6255-1700-000000004202}1208C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\BlobBinary DataNT AUTHORITY\NETWORK SERVICE 154100x800000000000000014746Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-12 21:14:46.151{D66DFBF7-EBC6-6255-4001-000000004202}1964C:\Windows\SysWOW64\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{D66DFBF7-EB28-6255-E403-000000000000}0x3e40SystemMD5=F94C2242DE208AA0CD1A64187165B448,SHA256=0EF0BB79047494273B2F8B44F1080A1458DEF6DB2828AE517380D59CB29D7291{D66DFBF7-EB28-6255-0C00-000000004202}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchNT AUTHORITY\SYSTEM 13241300x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:35.537{D66DFBF7-EBBA-6255-3401-000000004202}8172C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:35.537{D66DFBF7-EBBA-6255-3401-000000004202}8172C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:35.537{D66DFBF7-EBBA-6255-3401-000000004202}8172C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\BlobBinary DataNT AUTHORITY\SYSTEM 13241300x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-SetValue2022-04-12 21:14:35.537{D66DFBF7-EBBA-6255-3401-000000004202}8172C:\Windows\Sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\BlobBinary DataNT AUTHORITY\SYSTEM 154100x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-18-2022-04-12 21:12:07.847{D66DFBF7-EB27-6255-0B00-000000004202}624C:\Windows\System32\lsass.exe10.0.14393.4704 (rs1_release.211004-1917)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D66DFBF7-EB27-6255-E703-000000000000}0x3e70SystemMD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B{D66DFBF7-EB27-6255-0700-000000004202}484C:\Windows\System32\wininit.exewininit.exe