sysmon-arangodb/evtx_syspce.jsonl at master · SecSamDev/sysmon-arangodb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6B52-5D77-0000-0020F8D60700","LogonId":"0x7d6f8","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6B34-5D77-0000-001008AE0000","ParentProcessId":820,"ProcessGuid":"21207A7E-6E94-5D77-0000-001075721B00","ProcessId":5704,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:36:20.077"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13961,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:20.082409Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6E94-5D77-0000-001075721B00","ProcessId":5704,"RuleName":"","UtcTime":"2019-09-10 09:36:20.366"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13962,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:20.380135Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"LogonUI.exe\" /flags:0x0 /state0:0xa3a3f855 /state1:0x41c64e6d","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Logon User Interface Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=C52F8F22FD9A7628EA67F3009D2B2D073CED52CC,MD5=49C7551E48E142D2612ACFBF1FAF2B17,SHA256=B331A73DC5C24CD20D5F147CE5EF0499D43BF68707133EFC5E6A7D2D62B14B72,IMPHASH=A291F38DBDE84233376DBA1706BAF71B","Image":"C:\\Windows\\System32\\LogonUI.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6B33-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"logonui.exe","ParentCommandLine":"winlogon.exe","ParentImage":"C:\\Windows\\System32\\winlogon.exe","ParentProcessGuid":"21207A7E-6B32-5D77-0000-00100B8D0000","ParentProcessId":684,"ProcessGuid":"21207A7E-6E96-5D77-0000-001070841B00","ProcessId":4560,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:22.690"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13963,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:22.692989Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\notepad.exe","ProcessGuid":"21207A7E-6CAF-5D77-0000-00101A581600","ProcessId":2404,"RuleName":"","UtcTime":"2019-09-10 09:36:22.819"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13964,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:22.889137Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\mmc.exe","ProcessGuid":"21207A7E-6D82-5D77-0000-001007731800","ProcessId":2020,"RuleName":"","UtcTime":"2019-09-10 09:36:23.116"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13965,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.120792Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\svchost.exe","ProcessGuid":"21207A7E-6BB0-5D77-0000-00109A880F00","ProcessId":5728,"RuleName":"","UtcTime":"2019-09-10 09:36:23.163"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13966,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.176783Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-09-10 09:21:19.334","Image":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe","PreviousCreationUtcTime":"2019-09-10 09:36:23.197","ProcessGuid":"21207A7E-6B60-5D77-0000-0010219B0B00","ProcessId":4888,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\OneDrive\\settings\\Personal\\global.temp.ini","UtcTime":"2019-09-10 09:36:23.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":13967,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.217517Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","ProcessGuid":"21207A7E-6B60-5D77-0000-001024710B00","ProcessId":4820,"RuleName":"","UtcTime":"2019-09-10 09:36:23.256"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13968,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.271913Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\mmc.exe","ProcessGuid":"21207A7E-6BB7-5D77-0000-001049E30F00","ProcessId":6060,"RuleName":"","UtcTime":"2019-09-10 09:36:23.350"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13969,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.363989Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe","ProcessGuid":"21207A7E-6B60-5D77-0000-0010219B0B00","ProcessId":4888,"RuleName":"","UtcTime":"2019-09-10 09:36:23.350"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13970,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.365036Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3088,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B32-5D77-0000-0010948A0000","SourceProcessId":636,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\cmd.exe","TargetProcessGuid":"21207A7E-6D89-5D77-0000-0010772D1A00","TargetProcessId":5476,"UtcTime":"2019-09-10 09:36:23.382"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13971,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.390242Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\cmd.exe","ProcessGuid":"21207A7E-6D89-5D77-0000-0010772D1A00","ProcessId":5476,"RuleName":"","UtcTime":"2019-09-10 09:36:23.382"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13972,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.405760Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\conhost.exe","ProcessGuid":"21207A7E-6D89-5D77-0000-0010DB2E1A00","ProcessId":5716,"RuleName":"","UtcTime":"2019-09-10 09:36:23.397"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13973,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.405806Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6B52-5D77-0000-0020F8D60700","LogonId":"0x7d6f8","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6B34-5D77-0000-001008AE0000","ParentProcessId":820,"ProcessGuid":"21207A7E-6E97-5D77-0000-00108F961B00","ProcessId":5192,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:36:23.725"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13974,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.727295Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6E97-5D77-0000-00108F961B00","ProcessId":5192,"RuleName":"","UtcTime":"2019-09-10 09:36:23.725"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13975,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:23.733283Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe","ProcessGuid":"21207A7E-6B54-5D77-0000-00100A650800","ProcessId":2752,"RuleName":"","UtcTime":"2019-09-10 09:36:24.428"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13976,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:24.442368Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D07540F29C13983BC0EEE943F0D19968D9A0FA7A,MD5=543C8A2961F38C20438A61B9455E914C,SHA256=58B5E00312DEEE5474CF42F0C86664254AE7123055219C342A80AB5754E48BF6,IMPHASH=A2E75C292B8BFCA7B2A1A8467BEFEECF","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6B52-5D77-0000-0020F8D60700","LogonId":"0x7d6f8","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6B34-5D77-0000-001008AE0000","ParentProcessId":820,"ProcessGuid":"21207A7E-6E9C-5D77-0000-0010A29E1B00","ProcessId":1344,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:36:28.545"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13977,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.551690Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\rundll32.exe","ProcessGuid":"21207A7E-6E9C-5D77-0000-0010A29E1B00","ProcessId":1344,"RuleName":"","UtcTime":"2019-09-10 09:36:28.553"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13978,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.568820Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D07540F29C13983BC0EEE943F0D19968D9A0FA7A,MD5=543C8A2961F38C20438A61B9455E914C,SHA256=58B5E00312DEEE5474CF42F0C86664254AE7123055219C342A80AB5754E48BF6,IMPHASH=A2E75C292B8BFCA7B2A1A8467BEFEECF","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6B52-5D77-0000-0020F8D60700","LogonId":"0x7d6f8","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6B34-5D77-0000-001008AE0000","ParentProcessId":820,"ProcessGuid":"21207A7E-6E9C-5D77-0000-001050A01B00","ProcessId":1768,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:36:28.573"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13979,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.574867Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\rundll32.exe","ProcessGuid":"21207A7E-6E9C-5D77-0000-001050A01B00","ProcessId":1768,"RuleName":"","UtcTime":"2019-09-10 09:36:28.569"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13980,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.582967Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\explorer.exe","ProcessGuid":"21207A7E-6B52-5D77-0000-00106EFF0700","ProcessId":3772,"RuleName":"","UtcTime":"2019-09-10 09:36:28.585"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13981,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.595784Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\sihost.exe","ProcessGuid":"21207A7E-6B52-5D77-0000-00109DE80700","ProcessId":3592,"RuleName":"","UtcTime":"2019-09-10 09:36:28.616"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13982,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.637960Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\RuntimeBroker.exe","ProcessGuid":"21207A7E-6B52-5D77-0000-0010500C0800","ProcessId":3840,"RuleName":"","UtcTime":"2019-09-10 09:36:28.632"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13983,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.645974Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\taskhostw.exe","ProcessGuid":"21207A7E-6B52-5D77-0000-0010C3EB0700","ProcessId":3624,"RuleName":"","UtcTime":"2019-09-10 09:36:28.772"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13984,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.777897Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe","ProcessGuid":"21207A7E-6B54-5D77-0000-0010D1590800","ProcessId":3016,"RuleName":"","UtcTime":"2019-09-10 09:36:28.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13985,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.815371Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe3_ Global\\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Windows Search Protocol Host","FileVersion":"7.00.10240.16384 (th1.150709-1700)","Hashes":"SHA1=A0E317A76134A49D1F10D82DD5E36BB510F058A6,MD5=84EB6D7AF73E10486135F1525168F9CF,SHA256=9EA9FF5EECACFD5E6E24E8EC67C4FACBE3BA87734D1A4D208D024449BC853E7F,IMPHASH=86120B538168BB8DDA7AA8AC9FDA326E","Image":"C:\\Windows\\System32\\SearchProtocolHost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6B33-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"SearchProtocolHost.exe","ParentCommandLine":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","ParentImage":"C:\\Windows\\System32\\SearchIndexer.exe","ParentProcessGuid":"21207A7E-6B53-5D77-0000-0010CA2E0800","ParentProcessId":3936,"ProcessGuid":"21207A7E-6E9C-5D77-0000-001010AE1B00","ProcessId":6012,"Product":"Windows® Search","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:28.930"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13986,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:28.933606Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\SearchFilterHost.exe\" 0 612 616 624 8192 620 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Windows Search Filter Host","FileVersion":"7.00.10240.16384 (th1.150709-1700)","Hashes":"SHA1=50D067B8AD83AEDEC6874032744123577B5C3946,MD5=675CBA18E97CF6AE918100665451F4D3,SHA256=A149F35ED144E34B0652007F0382536BDB36258FBC3068459B64AB6C54B86952,IMPHASH=E300F39176345F8F5EA7ABC22320ACDD","Image":"C:\\Windows\\System32\\SearchFilterHost.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6B33-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"SearchFilterHost.exe","ParentCommandLine":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","ParentImage":"C:\\Windows\\System32\\SearchIndexer.exe","ParentProcessGuid":"21207A7E-6B53-5D77-0000-0010CA2E0800","ParentProcessId":3936,"ProcessGuid":"21207A7E-6E9D-5D77-0000-001060B21B00","ProcessId":2492,"Product":"Windows® Search","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:29.000"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":13987,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:29.005031Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\svchost.exe","ProcessGuid":"21207A7E-6B36-5D77-0000-00109AD30100","ProcessId":1924,"RuleName":"","UtcTime":"2019-09-10 09:36:30.631"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13988,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:30.638570Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","ProcessGuid":"21207A7E-6B36-5D77-0000-0010F6DA0100","ProcessId":2000,"RuleName":"","UtcTime":"2019-09-10 09:36:31.647"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":13989,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.661874Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4128,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B35-5D77-0000-0010CE360100","TargetProcessId":1024,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13990,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.759265Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4412,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-001036D40100","TargetProcessId":1932,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13991,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767461Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5148,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\SearchProtocolHost.exe","TargetProcessGuid":"21207A7E-6E9C-5D77-0000-001010AE1B00","TargetProcessId":6012,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13992,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767514Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4708,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B34-5D77-0000-001008AE0000","TargetProcessId":820,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13993,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767562Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4572,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B34-5D77-0000-001000E90000","TargetProcessId":852,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13994,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767592Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5180,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B35-5D77-0000-0010A23E0100","TargetProcessId":1080,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13995,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767619Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4072,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B35-5D77-0000-0010A83F0100","TargetProcessId":1096,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13996,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767645Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4132,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","TargetProcessGuid":"21207A7E-6B35-5D77-0000-0010CC420100","TargetProcessId":1152,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13997,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767677Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4728,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-0010B8580100","TargetProcessId":1360,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13998,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767706Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3828,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\spoolsv.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-0010F76B0100","TargetProcessId":1516,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":13999,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767734Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5212,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-0010E96E0100","TargetProcessId":1548,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14000,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767762Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4452,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-001080CA0100","TargetProcessId":1796,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14001,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767786Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4908,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\SearchFilterHost.exe","TargetProcessGuid":"21207A7E-6E9D-5D77-0000-001060B21B00","TargetProcessId":2492,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14002,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767810Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4448,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\Sysmon.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-0010ABD20100","TargetProcessId":1912,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14003,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767873Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":4040,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-001082DA0100","TargetProcessId":1992,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14004,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767906Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5496,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","TargetProcessGuid":"21207A7E-6B37-5D77-0000-00108AE40100","TargetProcessId":464,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14005,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767939Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5276,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\wbem\\unsecapp.exe","TargetProcessGuid":"21207A7E-6B38-5D77-0000-00105F330200","TargetProcessId":2108,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14006,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767971Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3152,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","TargetProcessGuid":"21207A7E-6B38-5D77-0000-001051510200","TargetProcessId":2228,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14007,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.767997Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3796,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\dllhost.exe","TargetProcessGuid":"21207A7E-6B39-5D77-0000-0010D37B0200","TargetProcessId":2428,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14008,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768045Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":1536,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\msdtc.exe","TargetProcessGuid":"21207A7E-6B3B-5D77-0000-0010CC130300","TargetProcessId":2540,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14009,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768066Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5500,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","TargetProcessGuid":"21207A7E-6B4C-5D77-0000-0010AEA00700","TargetProcessId":3420,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14010,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768086Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5772,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\SearchIndexer.exe","TargetProcessGuid":"21207A7E-6B53-5D77-0000-0010CA2E0800","TargetProcessId":3936,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14011,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768113Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3380,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B35-5D77-0000-0010C6400100","TargetProcessId":1112,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14012,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768146Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":2332,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\svchost.exe","TargetProcessGuid":"21207A7E-6B36-5D77-0000-001025480100","TargetProcessId":1220,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14013,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768177Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":2812,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Program Files\\Windows Defender\\NisSrv.exe","TargetProcessGuid":"21207A7E-6B3B-5D77-0000-0010D22D0300","TargetProcessId":2804,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14014,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.768221Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":5860,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\lsass.exe","TargetProcessGuid":"21207A7E-6B33-5D77-0000-0010E2960000","TargetProcessId":752,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14015,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.772101Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3488,"RuleName":"","SourceImage":"C:\\Windows\\System32\\csrss.exe","SourceProcessGuid":"21207A7E-6B30-5D77-0000-0010F3850000","SourceProcessId":564,"StartAddress":"0x753B36C0","StartFunction":"CtrlRoutine","StartModule":"C:\\Windows\\system32\\KERNELBASE.dll","TargetImage":"C:\\Windows\\System32\\services.exe","TargetProcessGuid":"21207A7E-6B33-5D77-0000-001004960000","TargetProcessId":744,"UtcTime":"2019-09-10 09:36:31.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14016,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.773974Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\msdtc.exe","ProcessGuid":"21207A7E-6B3B-5D77-0000-0010CC130300","ProcessId":2540,"RuleName":"","UtcTime":"2019-09-10 09:36:31.866"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14017,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.876798Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\svchost.exe","ProcessGuid":"21207A7E-6B36-5D77-0000-001080CA0100","ProcessId":1796,"RuleName":"","UtcTime":"2019-09-10 09:36:31.928"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14018,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.935827Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\SearchFilterHost.exe","ProcessGuid":"21207A7E-6E9D-5D77-0000-001060B21B00","ProcessId":2492,"RuleName":"","UtcTime":"2019-09-10 09:36:31.928"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14019,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.944019Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\SearchProtocolHost.exe","ProcessGuid":"21207A7E-6E9C-5D77-0000-001010AE1B00","ProcessId":6012,"RuleName":"","UtcTime":"2019-09-10 09:36:31.944"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14020,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:31.959278Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\SearchIndexer.exe","ProcessGuid":"21207A7E-6B53-5D77-0000-0010CA2E0800","ProcessId":3936,"RuleName":"","UtcTime":"2019-09-10 09:36:32.069"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14021,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:32.074746Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","ProcessGuid":"21207A7E-6B37-5D77-0000-00108AE40100","ProcessId":464,"RuleName":"","UtcTime":"2019-09-10 09:36:32.272"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14022,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2356}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:36:32.275367Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"SchemaVersion":"4.21","State":"Started","UtcTime":"2019-09-10 09:37:04.053","Version":"10.2"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":4,"EventRecordID":14023,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":4,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.063558Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\SystemRoot\\System32\\smss.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows","Description":"Windows Session Manager","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B366F8CD72C54612703D0E7413389A9FB3CD63CC,MD5=72627ED4B27A53D8E270C90EB8A0355C,SHA256=025728C1811E2BEF67A0A28580999AE5706041910356A5009C7FAC6D2C09C5AB,IMPHASH=7E741BE2FF75F6A695DF9939EA55A4BE","Image":"C:\\Windows\\System32\\smss.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"smss.exe","ParentCommandLine":"?","ParentImage":"System","ParentProcessGuid":"21207A7E-6EB8-5D77-0000-0010EA030000","ParentProcessId":4,"ProcessGuid":"21207A7E-6EB8-5D77-0000-001073650000","ProcessId":480,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:56.013"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14024,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.068508Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\??\\C:\\Windows\\system32\\autochk.exe *","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Auto Check Utility","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=990DEB9C2B3766ABFE0215C5DB22030163BC3563,MD5=B407085E10413D1F023A8E666140C429,SHA256=8C3B6922C73C869F5672B351D29136D81C320CD8EEE8BFE3D2CD41DA1D3F423C,IMPHASH=09D9CD83CE8150621BD78E0F2AC25656","Image":"C:\\Windows\\System32\\autochk.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"AutoChk.Exe","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EB8-5D77-0000-001073650000","ParentProcessId":480,"ProcessGuid":"21207A7E-6EB8-5D77-0000-001086670000","ProcessId":500,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:56.052"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14025,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.069841Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\autochk.exe","ProcessGuid":"21207A7E-6EB8-5D77-0000-001086670000","ProcessId":500,"RuleName":"","UtcTime":"2019-09-10 09:36:56.090"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14026,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.070251Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\SystemRoot\\System32\\smss.exe 00000070 00000074 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\","Description":"Windows Session Manager","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B366F8CD72C54612703D0E7413389A9FB3CD63CC,MD5=72627ED4B27A53D8E270C90EB8A0355C,SHA256=025728C1811E2BEF67A0A28580999AE5706041910356A5009C7FAC6D2C09C5AB,IMPHASH=7E741BE2FF75F6A695DF9939EA55A4BE","Image":"C:\\Windows\\System32\\smss.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"smss.exe","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EB8-5D77-0000-001073650000","ParentProcessId":480,"ProcessGuid":"21207A7E-6EBA-5D77-0000-0010CF840000","ProcessId":556,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.021"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14027,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.072279Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Client Server Runtime Process","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=2E04E845089AC05D50A0D06F4C548D6B55B64D56,MD5=A8742FE745347DC07B08D396EAD038FD,SHA256=A7E2B4E8ED83CE19ED663759E65A6B7A330261FFDD4FD667D553767F352B04FD,IMPHASH=B6F49FE097F3ABD818B4A1C8A5BD1900","Image":"C:\\Windows\\System32\\csrss.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"CSRSS.Exe","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe 00000070 00000074 ","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010CF840000","ParentProcessId":556,"ProcessGuid":"21207A7E-6EBA-5D77-0000-001052850000","ProcessId":564,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.087"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14028,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.072733Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\SystemRoot\\System32\\smss.exe 000000c8 00000074 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\","Description":"Windows Session Manager","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B366F8CD72C54612703D0E7413389A9FB3CD63CC,MD5=72627ED4B27A53D8E270C90EB8A0355C,SHA256=025728C1811E2BEF67A0A28580999AE5706041910356A5009C7FAC6D2C09C5AB,IMPHASH=7E741BE2FF75F6A695DF9939EA55A4BE","Image":"C:\\Windows\\System32\\smss.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"smss.exe","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EB8-5D77-0000-001073650000","ParentProcessId":480,"ProcessGuid":"21207A7E-6EBA-5D77-0000-00105F890000","ProcessId":628,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.389"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14029,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.073271Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Client Server Runtime Process","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=2E04E845089AC05D50A0D06F4C548D6B55B64D56,MD5=A8742FE745347DC07B08D396EAD038FD,SHA256=A7E2B4E8ED83CE19ED663759E65A6B7A330261FFDD4FD667D553767F352B04FD,IMPHASH=B6F49FE097F3ABD818B4A1C8A5BD1900","Image":"C:\\Windows\\System32\\csrss.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"CSRSS.Exe","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe 000000c8 00000074 ","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-00105F890000","ParentProcessId":628,"ProcessGuid":"21207A7E-6EBA-5D77-0000-0010C7890000","ProcessId":636,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.392"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14030,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.073543Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"wininit.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Start-Up Application","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=E1734C743D52BE676860190699AF26303DEFFA53,MD5=75766ADB5250CD43F68648AF9AC02695,SHA256=D61AA9E394037E8E8D18AC7F14E87A3DD92EFBB17C8097ACE2380299E31C5F43,IMPHASH=E113FC6C39CDC3FDB57F3D7B4F9BCD8A","Image":"C:\\Windows\\System32\\wininit.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"WinInit.exe","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe 00000070 00000074 ","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010CF840000","ParentProcessId":556,"ProcessGuid":"21207A7E-6EBA-5D77-0000-0010E1890000","ProcessId":644,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.393"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14031,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.073937Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\smss.exe","ProcessGuid":"21207A7E-6EBA-5D77-0000-0010CF840000","ProcessId":556,"RuleName":"","UtcTime":"2019-09-10 09:36:58.407"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14032,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.073983Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"winlogon.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Logon Application","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D1BE7A73AF5E2D6A150D709AA4BC2DB7AF8F7DC6,MD5=930ED53FC2A24FF4BA66131E031CD14C,SHA256=FA66D46BAFB4B9713EF55A22AE93BF7736435A6F9CBA5758DCAD8E9D21678001,IMPHASH=30F704E0E7339BA9C602E4A722902976","Image":"C:\\Windows\\System32\\winlogon.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"WINLOGON.EXE","ParentCommandLine":"\\SystemRoot\\System32\\smss.exe 000000c8 00000074 ","ParentImage":"C:\\Windows\\System32\\smss.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-00105F890000","ParentProcessId":628,"ProcessGuid":"21207A7E-6EBA-5D77-0000-0010698C0000","ProcessId":676,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.420"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14033,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.074222Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\smss.exe","ProcessGuid":"21207A7E-6EBA-5D77-0000-00105F890000","ProcessId":628,"RuleName":"","UtcTime":"2019-09-10 09:36:58.422"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14034,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.074272Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\services.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Services and Controller app","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=50519B0C7E2E1F9E4F35757C1E3E8E7B89390AE0,MD5=48A5107E71E1F6581D739003191B4610,SHA256=1CF67202FA9033AE3B9C042F4F7A50D397B2E2172B490DB12A0AE0F69C458EE8,IMPHASH=057E4960D9324C673159CBED5D4090D5","Image":"C:\\Windows\\System32\\services.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"services.exe","ParentCommandLine":"wininit.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010E1890000","ParentProcessId":644,"ProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ProcessId":740,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.537"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14035,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.074576Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Local Security Authority Process","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=70BBFB8CB36F46B82ED5FEB6E04BCC7D70FA511D,MD5=C33D357DBB05447FB85B01BB897CAD47,SHA256=FD4C60E7D5B7E83D2C14D055C56652688BAA119E1B411B4A03B607A6B6E1592E,IMPHASH=C1372C05D416A3F27915AE568BF08732","Image":"C:\\Windows\\System32\\lsass.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"lsass.exe","ParentCommandLine":"wininit.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010E1890000","ParentProcessId":644,"ProcessGuid":"21207A7E-6EBA-5D77-0000-00109C970000","ProcessId":748,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.557"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14036,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.074872Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8344a|C:\\Windows\\system32\\KERNELBASE.dll+b8618|C:\\Windows\\system32\\KERNELBASE.dll+e0d7c|C:\\Windows\\system32\\wininit.exe+8ed4|C:\\Windows\\system32\\wininit.exe+87a4|C:\\Windows\\system32\\wininit.exe+7f70|C:\\Windows\\system32\\wininit.exe+7bb6|C:\\Windows\\system32\\wininit.exe+b371|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wininit.exe","SourceProcessGUID":"21207A7E-6EBA-5D77-0000-0010E1890000","SourceProcessId":644,"SourceThreadId":648,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:36:58.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14037,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.074988Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\basesrv.DLL+275e|C:\\Windows\\system32\\CSRSRV.dll+5969|C:\\Windows\\SYSTEM32\\ntdll.dll+505bd|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\csrss.exe","SourceProcessGUID":"21207A7E-6EBA-5D77-0000-001052850000","SourceProcessId":564,"SourceThreadId":576,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:36:58.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14038,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.075080Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\system32\\wininit.exe+915f|C:\\Windows\\system32\\wininit.exe+8efa|C:\\Windows\\system32\\wininit.exe+87a4|C:\\Windows\\system32\\wininit.exe+7f70|C:\\Windows\\system32\\wininit.exe+7bb6|C:\\Windows\\system32\\wininit.exe+b371|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1000000","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wininit.exe","SourceProcessGUID":"21207A7E-6EBA-5D77-0000-0010E1890000","SourceProcessId":644,"SourceThreadId":648,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:36:58.547"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14039,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.075210Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ProcessId":812,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.777"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14040,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.075685Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k RPCSS","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBA-5D77-0000-001085FA0000","ProcessId":844,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:36:58.849"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14041,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.076186Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"LogonUI.exe\" /flags:0x0 /state0:0xa3bcb055 /state1:0x41c64e6d","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Logon User Interface Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=C52F8F22FD9A7628EA67F3009D2B2D073CED52CC,MD5=49C7551E48E142D2612ACFBF1FAF2B17,SHA256=B331A73DC5C24CD20D5F147CE5EF0499D43BF68707133EFC5E6A7D2D62B14B72,IMPHASH=A291F38DBDE84233376DBA1706BAF71B","Image":"C:\\Windows\\System32\\LogonUI.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"logonui.exe","ParentCommandLine":"winlogon.exe","ParentImage":"C:\\Windows\\System32\\winlogon.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010698C0000","ParentProcessId":676,"ProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6040100","ProcessId":948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:58.941"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14042,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.077041Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"dwm.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Desktop Window Manager","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=9F72B96FFFC5173FE0F3103545DD050283179717,MD5=0B6D857AA8C03AC17C19D69543D989C7,SHA256=846EDA6F8CDED0C1A8FE473B66CE85F9774428A29EB1818FF085BD84AC7824CA,IMPHASH=909ADB155C763E1F73B1E3CD27FABE2F","Image":"C:\\Windows\\System32\\dwm.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E1040100","LogonId":"0x104e1","OriginalFileName":"dwm.exe","ParentCommandLine":"winlogon.exe","ParentImage":"C:\\Windows\\System32\\winlogon.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010698C0000","ParentProcessId":676,"ProcessGuid":"21207A7E-6EBA-5D77-0000-00101B060100","ProcessId":956,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"Window Manager\\DWM-1","UtcTime":"2019-09-10 09:36:58.950"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14043,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.077996Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ProcessId":1028,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:59.095"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14044,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.078458Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=A5B3154572D824B482229C217CF3ABB52184C527,MD5=B6AFA387FBF0E29D9C24421156228B91,SHA256=D3935FA403A23F972B0FF1DE0294789F2400C6E469A14F7C21CA58F746F77033,IMPHASH=E19C9EA68937A833A833D876229B5F63","ImageLoaded":"C:\\Windows\\System32\\drivers\\crashdmp.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.840"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14045,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.092377Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C0CBD6548CA258439010E049F36E289CE49B6AAC,MD5=FBB578566F9249A3902BD61084B69482,SHA256=FBB041C1C38381DFA5C07D0F733F4DD1E8F4B72AACE2B5090C359451DA47347A,IMPHASH=CD7590EB1B8509D5151C678BA7A678D7","ImageLoaded":"C:\\Windows\\System32\\drivers\\Diskdump.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.728"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14046,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.097358Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C0CBD6548CA258439010E049F36E289CE49B6AAC,MD5=FBB578566F9249A3902BD61084B69482,SHA256=FBB041C1C38381DFA5C07D0F733F4DD1E8F4B72AACE2B5090C359451DA47347A,IMPHASH=CD7590EB1B8509D5151C678BA7A678D7","ImageLoaded":"C:\\Windows\\System32\\drivers\\Diskdump.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.840"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14047,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.097531Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=DDBBC868BBA57224C5FF6B51B194590FE2868BA6,MD5=228CF87DF76B2A98B343C1980A9A1450,SHA256=6F94C84EC4554D9D8E989690EB3CAAEA33C6454E4EC8996FCFCF0F8E5F6C9CE9,IMPHASH=9DF404FA5427EDBACB203B21CFB65ACC","ImageLoaded":"C:\\Windows\\System32\\drivers\\lsi_sas.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.729"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14048,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.103092Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=DDBBC868BBA57224C5FF6B51B194590FE2868BA6,MD5=228CF87DF76B2A98B343C1980A9A1450,SHA256=6F94C84EC4554D9D8E989690EB3CAAEA33C6454E4EC8996FCFCF0F8E5F6C9CE9,IMPHASH=9DF404FA5427EDBACB203B21CFB65ACC","ImageLoaded":"C:\\Windows\\System32\\drivers\\lsi_sas.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.840"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14049,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.103303Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=91F127D6240E37E682766C47D7D2F4B7172C71F9,MD5=2AF8BBB6B2C85BFB9137DC731E086EAE,SHA256=7440B2CC1837E0BD4D2CFCBF85462AF7E1232F01A2A6ED343B6F33EE0C436CE0,IMPHASH=3A4D0A3B88D0E67EF669ADAA2966A7D3","ImageLoaded":"C:\\Windows\\System32\\drivers\\dumpfve.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.729"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14050,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.108153Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=91F127D6240E37E682766C47D7D2F4B7172C71F9,MD5=2AF8BBB6B2C85BFB9137DC731E086EAE,SHA256=7440B2CC1837E0BD4D2CFCBF85462AF7E1232F01A2A6ED343B6F33EE0C436CE0,IMPHASH=3A4D0A3B88D0E67EF669ADAA2966A7D3","ImageLoaded":"C:\\Windows\\System32\\drivers\\dumpfve.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.840"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14051,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.108309Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBB-5D77-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-0010913B0100","ProcessId":1076,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2019-09-10 09:36:59.231"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14052,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.111392Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"","Company":"VMware, Inc.","CurrentDirectory":"C:\\Windows\\system32\\","Description":"VMware Activation Helper","FileVersion":"10.2.5.8049","Hashes":"SHA1=F246D4EA343B81F6F762D653614C702CD56B62E2,MD5=86F56C0EBBF2C9A387F7A2F02BD9983B,SHA256=4779FF6DD177F13D7C9AC45D18E95196F9A76637EAFDC011DC74E0BA608C7F2E,IMPHASH=CF755E51141B8ACA89C506C0C438F538","Image":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"vmacthlp.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-0010643B0100","ProcessId":1068,"Product":"VMware Tools","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:59.230"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14053,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.111775Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalService","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBB-5D77-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-0010F23C0100","ProcessId":1096,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2019-09-10 09:36:59.250"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14054,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.112228Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-00107F3E0100","ProcessId":1112,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:59.280"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14055,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.112660Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBB-5D77-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-0010AD3F0100","ProcessId":1132,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2019-09-10 09:36:59.311"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14056,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.113161Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"taskhostw.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Tasks","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=6A38BAE4824CD34A98E77DD524335CF01A4BD68B,MD5=881B943EF7081F6D3DB8D4F3B2E22631,SHA256=B42C95B2C9209790B68B36CE98E635D578437D33104436A222B5675793A9F7F1,IMPHASH=6579605FE7754836EE0018C314B4EA8A","Image":"C:\\Windows\\System32\\taskhostw.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"taskhostw.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6EBB-5D77-0000-0010865B0100","ProcessId":1372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:59.587"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14057,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.114940Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+83caa|C:\\Windows\\system32\\RPCRT4.dll+3aba9|C:\\Windows\\system32\\RPCRT4.dll+30e26|C:\\Windows\\system32\\services.exe+8b11|C:\\Windows\\system32\\RPCRT4.dll+5a8ac|C:\\Windows\\system32\\RPCRT4.dll+57ba|C:\\Windows\\system32\\RPCRT4.dll+37d9|C:\\Windows\\system32\\RPCRT4.dll+2ba85|C:\\Windows\\system32\\RPCRT4.dll+2ac48|C:\\Windows\\system32\\RPCRT4.dll+2b3e8|C:\\Windows\\system32\\RPCRT4.dll+40b2b|C:\\Windows\\system32\\RPCRT4.dll+4106d|C:\\Windows\\system32\\RPCRT4.dll+3e5a9|C:\\Windows\\system32\\RPCRT4.dll+3bb15|C:\\Windows\\system32\\RPCRT4.dll+2deb3|C:\\Windows\\SYSTEM32\\ntdll.dll+3e8f0","GrantedAccess":"0x1000","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\services.exe","SourceProcessGUID":"21207A7E-6EBA-5D77-0000-0010C6960000","SourceProcessId":740,"SourceThreadId":1124,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:36:59.590"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14058,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.115258Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k NetworkService","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-0010575D0100","ProcessId":1408,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:36:59.602"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14059,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.115825Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\spoolsv.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Spooler SubSystem App","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D470476C5DD1A0F6DE3F0AC06A16CAF4915E4238,MD5=E185391867B572A663EB2C3388ED4663,SHA256=011F422418DB1E8F796A593785B29F302EC635D6B63DDD0898F2AA663AEA5A23,IMPHASH=379B1E38B9D1D1CA57AA4CE944C4611B","Image":"C:\\Windows\\System32\\spoolsv.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"spoolsv.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-00104A680100","ProcessId":1500,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:36:59.684"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14060,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.116712Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBB-5D77-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBB-5D77-0000-001058730100","ProcessId":1528,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2019-09-10 09:36:59.760"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14061,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.117384Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBC-5D77-0000-001001CD0100","ProcessId":1792,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:00.144"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14062,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.118555Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\svchost.exe -k utcsvc","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBC-5D77-0000-0010B9D20100","ProcessId":1892,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:00.186"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14063,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.119465Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Sysmon.exe","Company":"Sysinternals - www.sysinternals.com","CurrentDirectory":"C:\\Windows\\system32\\","Description":"System activity monitor","FileVersion":"10.2","Hashes":"SHA1=214B4F2215956B7E564175CF8C78B02CE6ACE512,MD5=F6C0B1F3BAEA3132FA16676F520135E1,SHA256=E88EF7754BC8C7FB5B17B9756DF0895820F3CD6A182FDE7816C039346A4DC7CA,IMPHASH=E25D224D71234B7322FCE16AC09E4F0C","Image":"C:\\Windows\\Sysmon.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"?","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBC-5D77-0000-001011D40100","ProcessId":1912,"Product":"Sysinternals Sysmon","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:00.202"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14064,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.119932Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"","Company":"VMware, Inc.","CurrentDirectory":"C:\\Windows\\system32\\","Description":"VMware Guest Authentication Service","FileVersion":"10.2.5.43641","Hashes":"SHA1=A6120798F206C936C5580F21BE6811F7354FCA0F,MD5=30AB0BA207DFC9E446B7DC05F601320A,SHA256=1D0A78A716D1F21F09AAD900500F672E659F659655E72ED077639B45EFDC16FA,IMPHASH=28287447684251C8A5A78F75C1392719","Image":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"VGAuthService.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBC-5D77-0000-001006DF0100","ProcessId":1988,"Product":"VMware Workstation","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:00.928"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14065,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.120348Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"","Company":"VMware, Inc.","CurrentDirectory":"C:\\Windows\\system32\\","Description":"VMware Tools Core Service","FileVersion":"10.2.5.8049","Hashes":"SHA1=7CAC9CB951E3CE441D95A3A572C1F54186F1C0DD,MD5=7AAF83EEAC84B9C31B19A3AD88817AF7,SHA256=A6D908B8C2DD18D864FF6DB9D18A2A7553F3B86310E6ABF5BC2BC9FACF082DC1,IMPHASH=F08A31F7C1DF83667BDAFD316240BB18","Image":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"vmtoolsd.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBC-5D77-0000-0010C7DF0100","ProcessId":2004,"Product":"VMware Tools","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:00.940"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14066,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.120742Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","Company":"?","CurrentDirectory":"C:\\Windows\\system32\\","Description":"?","FileVersion":"?","Hashes":"SHA1=0C499F96211BEC4480F48A9CD628F5FB6541A0EC,MD5=7C5712E50464B02F68AFE5C3803B2FF4,SHA256=E2DF02AF920B651CB8A9175DF1D7EB3565C6546CD665CACB9A6C5A45C07F4939,IMPHASH=FB3B46C2C06117E2149EF236E25FC6D8","Image":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"?","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBC-5D77-0000-0010F0DF0100","ProcessId":2012,"Product":"?","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:00.945"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14067,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.120927Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k appmodel","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBD-5D77-0000-001064E40100","ProcessId":2032,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:01.023"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14068,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121308Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+29b3|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+6495|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","SourceProcessGUID":"21207A7E-6EBC-5D77-0000-0010F0DF0100","SourceProcessId":2012,"SourceThreadId":2016,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:01.037"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14069,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121403Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\SYSTEM32\\ntdll.dll+6ec4b|C:\\Windows\\system32\\KERNEL32.DLL+29141|C:\\Windows\\system32\\KERNEL32.DLL+2f8a1|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+29c1|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+6495|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","SourceProcessGUID":"21207A7E-6EBC-5D77-0000-0010F0DF0100","SourceProcessId":2012,"SourceThreadId":2016,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:01.037"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14070,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121448Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2019-09-10 09:21:58.926","Image":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","ProcessGuid":"21207A7E-6EBC-5D77-0000-0010F0DF0100","ProcessId":2012,"RuleName":"","TargetFilename":"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\sysmon-inyecciondll.dll","UtcTime":"2019-09-10 09:37:01.037"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":11,"EventRecordID":14071,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":11,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121472Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":64,"RuleName":"","SourceImage":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","SourceProcessGuid":"21207A7E-6EBC-5D77-0000-0010F0DF0100","SourceProcessId":2012,"StartAddress":"0x75B8A5C0","StartFunction":"LoadLibraryA","StartModule":"C:\\Windows\\system32\\KERNEL32.DLL","TargetImage":"C:\\Windows\\System32\\lsass.exe","TargetProcessGuid":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:01.037"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14072,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121494Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+272e|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+2ad7|C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe+6495|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","SourceProcessGUID":"21207A7E-6EBC-5D77-0000-0010F0DF0100","SourceProcessId":2012,"SourceThreadId":2016,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:01.037"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14073,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121525Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Users\\pula\\Desktop\\Sysmon-Inyeccion.exe","ProcessGuid":"21207A7E-6EBC-5D77-0000-0010F0DF0100","ProcessId":2012,"RuleName":"","UtcTime":"2019-09-10 09:37:01.068"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14074,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.121721Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\Windows Defender\\MsMpEng.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Antimalware Service Executable","FileVersion":"4.8.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0D77C372E71CCC41129192CA0E2ACF9C81E103D9,MD5=837EC40F650D168FFD1C1EBC1AFE952A,SHA256=F835565F3FFBBDB0C8D5A5E1600D35F8369066FE61FF822F8D1B6FB1DF8296B0,IMPHASH=6E73693D0E907F1AB7F324B64D2B9866","Image":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"MsMpEng.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBD-5D77-0000-0010D4EA0100","ProcessId":580,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:01.086"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14075,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.122001Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"taskhostw.exe network","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Tasks","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=6A38BAE4824CD34A98E77DD524335CF01A4BD68B,MD5=881B943EF7081F6D3DB8D4F3B2E22631,SHA256=B42C95B2C9209790B68B36CE98E635D578437D33104436A222B5675793A9F7F1,IMPHASH=6579605FE7754836EE0018C314B4EA8A","Image":"C:\\Windows\\System32\\taskhostw.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"taskhostw.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6EBD-5D77-0000-00107FF20100","ProcessId":628,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:01.210"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14076,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.122514Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\windows\\system32\\cmd.exe\"  /C c:\\windows\\system32\\notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Command Processor","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=CB92C2EB74F1CB25BD92B244B0F2215F4F136FC8,MD5=42FEFCA6AB3EDFB9AEE8B87292E47DFE,SHA256=6073F3616B310E8EDBFD09744E96F94A7F25FE33C79FF06A0A96E3C8888EB6F2,IMPHASH=7764C33DDF635E8636D8F4B6E7D2C48A","Image":"C:\\Windows\\System32\\cmd.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"Cmd.Exe","ParentCommandLine":"C:\\Windows\\system32\\lsass.exe","ParentImage":"C:\\Windows\\System32\\lsass.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-00109C970000","ParentProcessId":748,"ProcessGuid":"21207A7E-6EBD-5D77-0000-0010C0F80100","ProcessId":944,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:01.301"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14077,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.122899Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows","Description":"Console Window Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=7DF3BFA4BE09BFCCB10FE356CE45879364A0D2DC,MD5=4287D2FA46FDBFF6100455367C2D7C65,SHA256=6FB167673720640FF09E013432602E6AC9FF33D77DD8C3E4683C89D10B8E9951,IMPHASH=E8B06FF0246662E89A672B447A7462BC","Image":"C:\\Windows\\System32\\conhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"CONHOST.EXE","ParentCommandLine":"\"C:\\windows\\system32\\cmd.exe\"  /C c:\\windows\\system32\\notepad.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"21207A7E-6EBD-5D77-0000-0010C0F80100","ParentProcessId":944,"ProcessGuid":"21207A7E-6EBD-5D77-0000-001059FB0100","ProcessId":1004,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:01.328"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14078,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.123462Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"c:\\windows\\system32\\notepad.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Notepad","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=C6CCDAB3B15D997F813869CC9DE230682ED91393,MD5=56FD70793CF88C8AC74F44C7C4086E81,SHA256=17AAD577E5746A9412F9433FF9D22545B9ACAA0BAC354196B7D410999BBD6C29,IMPHASH=996BAA541FB54650003A61F19105D8CF","Image":"C:\\Windows\\System32\\notepad.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"NOTEPAD.EXE","ParentCommandLine":"\"C:\\windows\\system32\\cmd.exe\"  /C c:\\windows\\system32\\notepad.exe","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"21207A7E-6EBD-5D77-0000-0010C0F80100","ParentProcessId":944,"ProcessGuid":"21207A7E-6EBD-5D77-0000-0010E0010200","ProcessId":548,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:01.420"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14079,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.124400Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\dllhost.exe /Processid:{1D72F8F3-72A7-41D0-A13D-893FF5262B12}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBD-5D77-0000-0010F0160200","ProcessId":2076,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:01.969"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14080,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.124923Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Sink to receive asynchronous callbacks for WMI client application","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=29F105745039700E162DFCBDD92F646B3A421CFD,MD5=5A86284536D771DAE00CE1D431D0DBFF,SHA256=CFC2B985A30EFDC2DD1B39FD8AAFC232A0C582EE6D270D5B1F9E41880B0CECB6,IMPHASH=01391DEF6533D047356892094ED14EA6","Image":"C:\\Windows\\System32\\wbem\\unsecapp.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"unsecapp.dll","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EBE-5D77-0000-001067210200","ProcessId":2144,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:02.053"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14081,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.125322Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\VMware\\VMware Tools\\VMwareResolutionSet.exe\" 0 1 , 0 0 1920 1080 0","Company":"VMware, Inc.","CurrentDirectory":"C:\\Windows\\system32\\","Description":"VMware Resolution Set","FileVersion":"10.2.5.8049","Hashes":"SHA1=6A8D486D1DADD9A1033458CFC0E95A3280FA03E0,MD5=4A99FF708AEA3A14735D979A113A07EC,SHA256=8D0D00E9BDE071B0CEB3509B2CAE35E52DB6EA4C4151CD6EC63F1E25F7B92919,IMPHASH=EB0AC876CCA787EDC20A17C9476AF71C","Image":"C:\\Program Files\\VMware\\VMware Tools\\VMwareResolutionSet.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"ResolutionSet.exe","ParentCommandLine":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"","ParentImage":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","ParentProcessGuid":"21207A7E-6EBC-5D77-0000-0010C7DF0100","ParentProcessId":2004,"ProcessGuid":"21207A7E-6EBE-5D77-0000-0010AA280200","ProcessId":2176,"Product":"VMware Tools","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:02.165"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14082,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.125888Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Provider Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=34A322B2EF10C4E14D48995E56E4713011749309,MD5=834639C9DB8BFA558EE3714E7D61BF27,SHA256=D4C0038ED86C0A021095CFB85FA4D30BD9626E35CF934C0E8F5BB4C55DE1064C,IMPHASH=ACAC5A7B11D5E304A3AFB1A50B6D3941","Image":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"Wmiprvse.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EBE-5D77-0000-001031350200","ProcessId":2212,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:02.445"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14083,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.126290Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\VMware\\VMware Tools\\VMwareResolutionSet.exe","ProcessGuid":"21207A7E-6EBE-5D77-0000-0010AA280200","ProcessId":2176,"RuleName":"","UtcTime":"2019-09-10 09:37:02.490"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14084,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.126530Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBE-5D77-0000-0010614A0200","ProcessId":2328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:02.766"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14085,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.127730Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\msdtc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Distributed Transaction Coordinator Service","FileVersion":"2001.12.10941.16384 (th1.150709-1700)","Hashes":"SHA1=B75459A3A88AE772219A6C0A71ED595DCEEE5DDD,MD5=26B259840A3513979D38B54AE762D240,SHA256=24909E4122E759E60FCE6BC41E663EF6B8FEEC8B5747D808B88355130B01C26B,IMPHASH=A6F5E8565E6915ECFEA09DD69C136BB8","Image":"C:\\Windows\\System32\\msdtc.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"MSDTC.EXE","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EBF-5D77-0000-0010707D0200","ProcessId":2508,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:03.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14086,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.129087Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=A5A8AAEB0E9FE77D0A10CE60AC3618BE0E50B7AC,MD5=F9859843E5ABAB82E63CC3AA0FC50CF0,SHA256=65DC89FE1ECC7C2EB2C0E964135EECAA3287859EC5A6A2E5FC29C88EC174C31C,IMPHASH=86443D63B68D00ACF6632293D921BF66","ImageLoaded":"C:\\Windows\\System32\\drivers\\cdrom.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.887"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14087,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.135247Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=F944FE403A1D015DF71DCE484A80461F298C4100,MD5=170C21ECC457DAF33D5DF3BD4D53D7D1,SHA256=12D93FF25CAE49177C1ED6C8F32F5C81E2E463C83DA2C6633184B9807F9787FF,IMPHASH=684BDFEC548F4D5030399542855E7F92","ImageLoaded":"C:\\Windows\\System32\\drivers\\tbs.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.887"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14088,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.140080Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=86FDB594C44E0C4637FB0EC9ED33AA191393E0F9,MD5=0121657A5FA70253C32E7C222B18E215,SHA256=C94F029412B77ABD3F0A600AF390B3E808A292EAB16F35B653DE9A62A0FC8ACD,IMPHASH=67DA038B32D7AA123FD5BEB4EF37212A","ImageLoaded":"C:\\Windows\\System32\\drivers\\filecrypt.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.887"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14089,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.146803Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=9D01FD20FFF9A39FCDCF7FB67DB80C97925229CA,MD5=2224E6E362ABEEB09EE97982E0AE4606,SHA256=14E2B52B243ED518CF5004EAC53ACF4888A23C44960FB26AD15FCC2AE32D225A,IMPHASH=CE44E632526A888DA98CFC6A221040A6","ImageLoaded":"C:\\Windows\\System32\\drivers\\null.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.887"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14090,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.154383Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=EFA283A51FB47ED6192C9C8497B972DE23658F36,MD5=A006F6C5E3E0AEAD49BEFFA005FFB0E1,SHA256=345F4B21AF42C3ACFA0FB2FC58D8CBE3345DC9F30C6199CCE8203B33D43C41E8,IMPHASH=E5CC1AFEABEF52DD04125334BF44F36C","ImageLoaded":"C:\\Windows\\System32\\drivers\\beep.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.887"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14091,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.160872Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=60B6C794B9C8488751856FB89FFB02D40AEAD2E0,MD5=0A68BEF42F2D7A85C1629309D553217E,SHA256=3828451AF7AD01C4F570AA17F410BBA9ADFBDC75AFF2C72C5549D7C9498D844F,IMPHASH=576422EF58F2AAF96A2E9A048FBD61B0","ImageLoaded":"C:\\Windows\\System32\\drivers\\vmrawdsk.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.903"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14092,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.172188Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=80379BFAF98E2436BBCCD64D444846AB0D2647D4,MD5=0C3251FB68C138F06E5EAFC065540324,SHA256=B6B9A0D2B1BC7090A7EB740BA1AD916189035830D7BC894C816E234A342F195F,IMPHASH=5BC631192891ECE3DB6A23E99A2AB335","ImageLoaded":"C:\\Windows\\System32\\drivers\\watchdog.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.903"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14093,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.178597Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=2FDD9D76DC34808B2BFA75B164644F1F0AAD2CCD,MD5=F9677B8B603E2BE3FCDF9F7F2A7DD95C,SHA256=B25B6A33137B354A129F75822D54ABB492322767013A8EE46D29A925895375AB,IMPHASH=B60D7D2C91D25FFA4F09FB012696C83A","ImageLoaded":"C:\\Windows\\System32\\drivers\\BasicDisplay.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.903"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14094,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.185434Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=563C8833709D6D8F4AC0C4EF7C6BD689C8E36A46,MD5=A5F21E6BD723CEA13F8D383852BC6BF8,SHA256=9349F2B9962529BE480A9D20FA6C0FF4BCDCFAA25CCC434EAD5417424A08FE2D,IMPHASH=942D339CF951C88609A044C20DB59AB9","ImageLoaded":"C:\\Windows\\System32\\drivers\\dxgkrnl.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14095,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.198241Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=4E7972C4F0E2C15544D0B60A107559E8B4331B20,MD5=1ED9A0349E1C823094B95F8E661A3625,SHA256=E100E8B516EA546D70232DC41B2F4405C35191E37C5F401108ECF7C07E48009A,IMPHASH=7000F848ADDF3782F9815637330BD934","ImageLoaded":"C:\\Windows\\System32\\drivers\\BasicRender.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14096,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.203892Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=3DA21B1E7D934B78DA327B971D00B251C4349094,MD5=C552566C5121EE41FE6CD51D002E2715,SHA256=516E99FDBA4571FAC36998EA078707383C46D3F79182ABCD2D7C6CEF83BAAAC7,IMPHASH=A0ED8D6C74EE44D0A40ED4C368F80EB3","ImageLoaded":"C:\\Windows\\System32\\drivers\\npfs.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14097,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.211346Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=E3174D15FBEBBB6B288713DDCB0CE5B192F55E4C,MD5=C0D835C215B5B3EA82C89EB253F24C2B,SHA256=1116D55641C0017E644C1DBA23463CFC9E70DB37E1937C8F1DC9E07572DAE5A6,IMPHASH=240F6C33CD74D7B9DEF5D29D5B3A9E59","ImageLoaded":"C:\\Windows\\System32\\drivers\\msfs.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14098,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.217687Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=8B55CEE58CF714544AE18096F942B9812BEC0069,MD5=0B10A6C4D33B544D175D3ED725D3E13B,SHA256=2555C5A9ECB36EED08AD5299A103D77664E17BAE272579AE083D5A9D5C25C259,IMPHASH=11F7393B6C15FBF0DAD05EB05005D0E0","ImageLoaded":"C:\\Windows\\System32\\drivers\\tdi.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.934"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14099,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.222457Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=15C5C5BFC713194FE4F924602A9402F6518C1746,MD5=35C4DBFAE5E7C4A5F53CAF94C23F0E82,SHA256=16EF575BA919DA04632028D5CCC89FA275BB07E0C25D6561189B30E1119E49BC,IMPHASH=26E49630F68A23845F67A4A7AD9D2C41","ImageLoaded":"C:\\Windows\\System32\\drivers\\tdx.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.949"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14100,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.227812Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=7EF75AC05E7A4673D6F0399039325909048AA84A,MD5=C2B8740762D91436865CDA6710CF2429,SHA256=875EC635B7D1F4F7E6EC8DA59F2F4942DC47648C34DE2B3AC8DADD0EB074F012,IMPHASH=EDD338B9C183B35B96866883D5968716","ImageLoaded":"C:\\Windows\\System32\\drivers\\ws2ifsl.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.949"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14101,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.235669Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C7CFDEC504E52581ED700A4EABF0945033F19B98,MD5=F60AE46F9B244F3FF02BFE0DF8DBFF86,SHA256=B2FD53D558D904FCA4D55FCA873A1AB770D6891005B2D37A1E9685E2B809B7E3,IMPHASH=77C988565E595E091272C9BA8B24935F","ImageLoaded":"C:\\Windows\\System32\\drivers\\netbt.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.949"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14102,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.243925Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=AC5E01FA74C20087D715A0174233FF1B05F923C7,MD5=C5E1DEF4FE031F6CD59AF5E46165F5A8,SHA256=9008E7CA45E20D58B956C8FFE5C430C61753CF5C3681233EA06B456AE5F57A14,IMPHASH=E14DAE72CD82432B399B4DD1BBBB5CAC","ImageLoaded":"C:\\Windows\\System32\\drivers\\afd.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14103,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.251095Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C7C9D4B1E1F58ECEC8C480BC0F7C4C24A44AE344,MD5=908B2BC47A2318332E0FE112DC215811,SHA256=DB726385DAA63E3D078CC9C1160D8D0B85F1C6061CC7C4C6B3FE0C00139F45A5,IMPHASH=2DB3623CD1A7FB2982AED0B93800C91E","ImageLoaded":"C:\\Windows\\System32\\drivers\\vwififlt.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14104,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.258951Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=F9EFC5F2AF003BEAC162B950EF8D441D8C060366,MD5=771101B3C6D8F59354135E039133B2AF,SHA256=05FC0565510AC42132516B2237E05C144B7F88B8A853FB2EEC529B787457F553,IMPHASH=3141B8C5FABBEB88F15E6757077A549D","ImageLoaded":"C:\\Windows\\System32\\drivers\\pacer.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14105,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.264137Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=61D28D812289F17BB9993DCA8C989D4227221E56,MD5=F16DD1AAEA94A1109008E09BBCCDCF60,SHA256=9BC0550409CC70AA23F25D3DB9500E9DB1ADEB02404FEEEBF98DE41E6A8DCCD2,IMPHASH=D5E1F30AF1D6F7D3BEE90BFB1EC3EF2F","ImageLoaded":"C:\\Windows\\System32\\drivers\\netbios.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14106,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.268591Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=BFD8E2CD7297B25E5967DE2670DD5935FC74994E,MD5=A340B3039E43BC243CC397C1B351262C,SHA256=4C2D6BBDED327AA68F76093E02FB71400D61CA81B6F687FBEF3A703C63523C7D,IMPHASH=21DAE1E10F09B984E39F30A93002094D","ImageLoaded":"C:\\Windows\\System32\\drivers\\rdbss.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14107,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.277287Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=6488597CE39856D7FBE4F14A70F424DF72D86420,MD5=EC0BEB55A4FDBD77B8ECC7FC905A295D,SHA256=A84121980F5672FFC519CB328FF072FEEA0AE90DA067EDDF622297E5E9D4EFA5,IMPHASH=591E5CE2C36E99E480C7A04C5FF90FCB","ImageLoaded":"C:\\Windows\\System32\\drivers\\csc.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14108,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.287929Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=2D2803A4096955111B0696B25C0A9584AB0EF8F4,MD5=8B27E449AFA08A77C54744C0E3DD542F,SHA256=7D6D73A1E173DD43EBD5ACCB5508D074C79EEC321B66D31ED17EED172E1531B1,IMPHASH=A7FADF6C638A2308284B0F16537BCF4E","ImageLoaded":"C:\\Windows\\System32\\drivers\\nsiproxy.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14109,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.323763Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=2B15CFA5EADEC8501FAB986701604403E1C1933F,MD5=BB6C28F5912D6351BCDE006081FC6BEB,SHA256=0D978A2B1DEB5126F922214997B9CF77EC9E9A7C4B18A569D5413ECA04C04767,IMPHASH=55F15AEB3CF3C001B1DBF9AEC24C8CB8","ImageLoaded":"C:\\Windows\\System32\\drivers\\npsvctrig.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14110,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.371237Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=33B1AD5E5C61FE8027FC6D7DB82FE8B2F721FD16,MD5=DC7D53161E132A1A4D0BCDEFE69111C5,SHA256=10EC7C2F1715C1CC3FDEFC5C578631FC897D2BFE466606FC394787F42FCE78C7,IMPHASH=C2A71DB93B678EB785E7882363156A2B","ImageLoaded":"C:\\Windows\\System32\\drivers\\mssmbios.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14111,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.375655Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=92AC9E00822F4C7AEBF804E60B686A683582FF03,MD5=F2CA103777B376918BB990C1C04EAE35,SHA256=59FC92135B42854586E965B1042A1ACB7AA40E90E940DF3562E104C2FB8A9AEE,IMPHASH=F87EEF3C2FC93BFAE24B77ACF983BE31","ImageLoaded":"C:\\Windows\\System32\\drivers\\gpuenergydrv.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.981"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14112,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.384825Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=066F923E41A7F53018C5A1D95980222F20066461,MD5=FF2FAE24F70AC0501C59C20136A333DD,SHA256=C0F81F6295DBE491B54692205D2EFBE607CF598B3D0951478EA65EF300CC83EB,IMPHASH=F4AB69589408B4E79CF8C0F68040F94B","ImageLoaded":"C:\\Windows\\System32\\drivers\\dfsc.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.996"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14113,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.414526Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=A90835AC82524EB1462785DF33E4C5F0A7C78648,MD5=2CE40290DF549625B5AB8A00B371EFF3,SHA256=DA59E86D052496813833D8416D428D7F82A223E835FDEF2A17495AA7F2B5C78C,IMPHASH=1CC18866D54E465C49AFA07B1FCBC10C","ImageLoaded":"C:\\Windows\\System32\\drivers\\dam.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.996"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14114,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.419084Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=DB65006B7DC211C518DCB31A918D0ADF3337A265,MD5=26BED4D2B37B9F2FF5440F128494B52B,SHA256=250BC5E1CF85B382214E87B727CB7F32635D508504F4E3C906B49A2FABEFA122,IMPHASH=15E20E2FF9242F33E6BB2F38041B7F9F","ImageLoaded":"C:\\Windows\\System32\\drivers\\ahcache.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:55.996"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14115,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.427173Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=9E378DB6B2069285F1D985C26B98B709C1526BAA,MD5=982B14414C2DB5F76F43091E816B55BC,SHA256=F268A591F7DB7E6CEF595F6739723FBCCD70FEB63FE55734C424EB900AAA5460,IMPHASH=80DE5210E3271958B1FBA236A031CAED","ImageLoaded":"C:\\Windows\\System32\\DriverStore\\FileRepository\\compositebus.inf_x86_a4832450a7024d49\\CompositeBus.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.012"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14116,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.434037Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=08A5B7489E30B215D0B5483923E389D050669205,MD5=566D95C7CCDEF5EC2FC8F1660E1B8FA0,SHA256=734897E9CCF5287FDAC26E15E9892ADA4201B7F145044C12A404E414B11141C3,IMPHASH=0160325599F61B58FAB39944F877D289","ImageLoaded":"C:\\Windows\\System32\\drivers\\kdnic.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.012"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14117,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.440617Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=D574F856141914D35B1453B767D53DFE4D3BA9CB,MD5=34196654205A974D2CB458614633694A,SHA256=844E513A10BEC4AD6F2BE320DADAEEACE97137DEF021675B9892A9223D177114,IMPHASH=79986C2C5131F0F3BEF02F191F0B1ACC","ImageLoaded":"C:\\Windows\\System32\\drivers\\umbus.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.012"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14118,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.447255Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=5BD3C6D228A263F13111311E38A775E5B1E6C3FC,MD5=4AFC7F3F691B8259B41712917808F35B,SHA256=D9CEA9D7ED8DDF43C4827113CADE8EFFB9AB3C94DAB2BEEDC79599A0CB568A46,IMPHASH=51B06780FC725F3E7AB29E95BBB86B81","ImageLoaded":"C:\\Windows\\System32\\drivers\\i8042prt.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.012"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14119,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.454433Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=AFA5212AFC8E84DD325BB8639ED7B3B9C2A2AF5B,MD5=8BF140160F18F89755BB7D4232A881E5,SHA256=37A3FA44956CE5030A3392818EE8DB04993B4C5BB2C0FBBE2A47C74BC88396E5,IMPHASH=B83687A7B7491C4B63AEAE160F2861CA","ImageLoaded":"C:\\Windows\\System32\\drivers\\kbdclass.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.012"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14120,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.458704Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=0FDF1BFB834E09D65D499A54B9122DD6D5A48E78,MD5=0A429D38F68F3FC38A01CC1F14D6115D,SHA256=9EDDB3BD71E64D0DB61BD950ED67F293565DF185400A6BE25BE6B29F35B51DE9,IMPHASH=1847DEBBCC80BD94391F151F547DF947","ImageLoaded":"C:\\Windows\\System32\\drivers\\vmmouse.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.028"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14121,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.465232Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=28874A1200D2F301609DED991B248C5A81B52F57,MD5=7A0C0F5D2BC184A10CFCCBDF18F4B03E,SHA256=7A92AF4FE405F2A8B2300049FBDEE785CC0340F6B70CB19DD3F622953E5689DF,IMPHASH=0AB426D9E032FC1F1CE01949EF47ECC1","ImageLoaded":"C:\\Windows\\System32\\drivers\\mouclass.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.028"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14122,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.469597Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=29C5FDB06D8DD46504E521D78CF7EC998DBC1EC4,MD5=C4C30156F58BF3F0B6469FD600572771,SHA256=1C9E37A68B360622B2415D0652F2B379ECB05720F26549EFB90CBE6D011EF8F5,IMPHASH=1DC77708D60CEEC0A02D2284B9F5C904","ImageLoaded":"C:\\Windows\\System32\\drivers\\serial.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.028"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14123,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.477323Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=DD6BC70B0E27485D08BBEC723F4B1B06C3670147,MD5=6DD94F4FFA57B9090F19561CB1A897EB,SHA256=386F89B11D8B224C110E3701405FFB97A2E10F0F487F8825E76BE68C2DCE7B0A,IMPHASH=A9516C718EDC36ECABB73E9DFDE051C0","ImageLoaded":"C:\\Windows\\System32\\drivers\\serenum.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.028"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14124,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.483646Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C50AC433CF50EB5ABAF29D3D74249FFBAB15B373,MD5=F9E3496F09E59D6EDDFAF13C41D4CA04,SHA256=A0DB4B027696702A88CA2673B5D16461F671D04CB2271D247471AEE0DF1B1641,IMPHASH=2D16450AAA811BAF6DD30EDC99A958AC","ImageLoaded":"C:\\Windows\\System32\\drivers\\fdc.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.028"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14125,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.490130Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=BDD4E9A1015293E55F26D08ECD3DC999171D41D5,MD5=0CDB1C1F1D11B91601FEB6FD7FD158C2,SHA256=EE5970F6EA0718439BEE8CB4E6DB1880322131823486F4DA7E4602F477E9FC99,IMPHASH=94B86915B2EC75A09B1D09E563A972B6","ImageLoaded":"C:\\Windows\\System32\\drivers\\vm3dmp_loader.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.028"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14126,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.495854Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=9F8E27A163266D63D3B008A3BBB7698B4C103389,MD5=80AF88935C045615ADD16B4A61E487CC,SHA256=A35FD5138BDE47225D937C0B39EFED61659EF20567E12BA1EB556FEF7E1F736A,IMPHASH=E48099F2C8D64453F3AE6E90978CFE97","ImageLoaded":"C:\\Windows\\System32\\drivers\\vm3dmp.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.044"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14127,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.501645Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C08B2F1525CAAD89061250371D777E494A726636,MD5=DD81C11357E06C9EE65C945042922919,SHA256=86A7EA6B8051E0677A6368A4D2A803F988A13DB2AED52E39F809BB88BF017A94,IMPHASH=D77AD8345060C45B8181ABD962BDBD33","ImageLoaded":"C:\\Windows\\System32\\drivers\\usbport.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.044"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14128,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.508022Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=E753883637F53B69DE5B6CB4DEE3540542BD55F6,MD5=C881DEA9BDD0E79B4A54BA63E1550916,SHA256=9A5D69BCAB77DCAB2941EE9BBC8B7F92EF547745ADC3FB04FF5E74E7F806A8DE,IMPHASH=F076A4E204A1C157EA7C14B82E0F269A","ImageLoaded":"C:\\Windows\\System32\\drivers\\usbuhci.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.044"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14129,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.513853Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=ABB1F6FEDBBE818969DD162095F14167BB06ECDA,MD5=B69F3917DB9744C6E75651576CB6E663,SHA256=2A2BDC2D331CEEACE1AEE5BAE90E227902B17322111A683C52F6BEB75D606D7D,IMPHASH=CE4F21B46F4C46A57595215E67AB48E4","ImageLoaded":"C:\\Windows\\System32\\drivers\\ks.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.059"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14130,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.523162Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=3D562B47001204B7AFBD5D0D485EECFBF0798765,MD5=F85370D6721DE7195E0F375BAD8FC159,SHA256=5520BC6B797E7570A8509927ADCB15D69D820C6296A64BB392EED6C8E6B93880,IMPHASH=B4E8EC6AB659B5084CC926074586EFDA","ImageLoaded":"C:\\Windows\\System32\\drivers\\drmk.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.059"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14131,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.530778Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=08406D7677FAC60BB00F4B197796ED13C0E2D707,MD5=896EE0583F1C4D6DA319312063D86048,SHA256=34EDE2D22370076928A781E59B2DE1BE1FB66396B6EFCEB7F19C4F188097EE4E,IMPHASH=042A9214A255E6A01EC7FFDEEA64B9D7","ImageLoaded":"C:\\Windows\\System32\\drivers\\portcls.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.059"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14132,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.539719Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=7908DF5D5EFCB209D68499C5D08120B8A93DC6D0,MD5=D102A17D9A1B5D6205D9945835DCE21E,SHA256=884F6E44E7B03D618DF8C6DDBFE4E5A64D9E345144897006B674F73989949865,IMPHASH=673A0DCDA30C52AEF87AAB09EEFCE3C9","ImageLoaded":"C:\\Windows\\System32\\drivers\\hdaudbus.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.075"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14133,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.549064Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=EA4B36AA1F46E3E3312E55B08A927C71DFFD3CAC,MD5=5E11DC890661EEFFB6765FD3673DA48B,SHA256=A041BFE9956CF95790F8CBC963DE1BDC014FAEBF1D6521DD70ED409E88A56AFF,IMPHASH=5A38405CC48C91C81908C97BF82E78AB","ImageLoaded":"C:\\Windows\\System32\\drivers\\usbehci.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.075"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14134,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.553808Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=83852E4EE70ECF10ED642F22DA7082EF69FE60F7,MD5=4AB05314EBCFCABEA87E92D2EAAEC703,SHA256=81712021AA483FFE144FC43782B5DF64EFBFB04ABEA42E3DAF916C14D2715901,IMPHASH=9F11A88149A2CAC5FD9FEC2A967EF7AC","ImageLoaded":"C:\\Windows\\System32\\drivers\\e1i6332.sys","RuleName":"","Signature":"Intel(R) Intel Network Drivers","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.075"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14135,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.561692Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=E637DC1391634FA9F4855A002AD342CF0023851F,MD5=E5C9861B72E8549995317EC54ABA0EF9,SHA256=ADF4F16A1769B323C0E86FBC8602F15623C3D7053B1684D2AD37A02C6CE16777,IMPHASH=A9CF22FF5E33E14AC9F6EC39ED056E14","ImageLoaded":"C:\\Windows\\System32\\drivers\\USBXHCI.SYS","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.090"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14136,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.568570Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=FAF0C206F46A0F0333E2E4210505FE2D631FEAA4,MD5=EFC19FB0D7E495466D50C0DDA5CF00D1,SHA256=F9E8B5DDFC7D7E4E6FA064AC05BA25D81704C08B1A1E77FC74753854F5004B60,IMPHASH=055618CB937E363CEEEE41D0B214AB00","ImageLoaded":"C:\\Windows\\System32\\drivers\\Ucx01000.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.090"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14137,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.576499Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=18943964DF08C759B6E44D20B675B84F29F7D6A0,MD5=0737BB61A171F7F9FD68959271AB8E9E,SHA256=C1BFFC07FDF861418B69076555A04C92BE5A6C73B79BDE062F17CBC6445AC7B2,IMPHASH=451054F051B529A2EE3408241946E1F0","ImageLoaded":"C:\\Windows\\System32\\drivers\\vmgencounter.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14138,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.582754Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C48FC7B5822994905F15A661647F7AA1A55608A6,MD5=21CD7B7A33E7FED8C12B7DD79554F483,SHA256=F934431E5D891D9AA1D7C904109B00349FC6446A885C1790FDC94F4965250502,IMPHASH=3A3BD051D3BED5F64FD90745C5E5A477","ImageLoaded":"C:\\Windows\\System32\\drivers\\battc.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14139,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.587933Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=310218F2EFC3C95B769A5149286C99D0F4B26372,MD5=C8C9FDD65954BC3CF385093CB5A7DC9A,SHA256=FE85A4CDDAC135F1052A6D0ACD534CD46AC059DD6D2A16AE1A7C18B458C6C2A4,IMPHASH=944F108D276E56F403D746D62B7187EF","ImageLoaded":"C:\\Windows\\System32\\drivers\\CmBatt.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14140,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.594767Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=EE4426F777AAC3D374D90F42BC46584B8312FFBE,MD5=53C22DBD08EC5B6EF9D5DAFD4EB459C3,SHA256=EB1DBFFE62C1EA7EE583B39B0F4F32EF54013D7CDD5FB081B7CAA356283D487B,IMPHASH=B8C7E1A2D2D22DD631CF53C8BA6A4772","ImageLoaded":"C:\\Windows\\System32\\drivers\\intelppm.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14141,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.603580Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=53353A587394978F505059D18C46BC09AF3371DA,MD5=9FE26958C341E1D7C7AC06DCEA6F29A2,SHA256=DC55449E5CC8CE83ABCD1E181A3846E9F60C05902430CC8A2931BA5692A791DA,IMPHASH=423C3240F541D2EC8D19B8866636DDDF","ImageLoaded":"C:\\Windows\\System32\\drivers\\NdisVirtualBus.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14142,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.610942Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=5D775629BEC5682BE552E7067A00049038EAF9D0,MD5=1F4CEAEF6A3503ECB2DCB8BA280EAACF,SHA256=BBB0CD23E01651E3ED2E5B76756FBA708A6A3C926BDF02C2518D174028937EF4,IMPHASH=00262610D713FE001869507767F30C64","ImageLoaded":"C:\\Windows\\System32\\DriverStore\\FileRepository\\swenum.inf_x86_b6707c73599dd1b6\\swenum.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14143,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.615485Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=DB894EBC6B7F80B7458F25813F0588C9ACBE9667,MD5=82A782AAFE96EE042061014551FD2771,SHA256=283C45CAF8C18176B2CD00EF0BC0A97948DD2D4994B093B9BB52EC0E9ACC69BF,IMPHASH=A8DF2E21213E698C1EAE709A39187ED3","ImageLoaded":"C:\\Windows\\System32\\drivers\\rdpbus.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.106"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14144,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.622301Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=ED447DDB71C0978557182312D2C17DB5799C88AC,MD5=DE1B942049EB48B4D883B97ACA37A208,SHA256=CB1F9FFBE407D7126628D812A1AAA011B298B5F0B39EBF2ECEB9989914840085,IMPHASH=F5B8A422DF722EA200EB0A5F39EE0B97","ImageLoaded":"C:\\Windows\\System32\\drivers\\flpydisk.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.184"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14145,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.628647Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=CA601BA558C8A55B0D64F5DCA06C27B1AD71CE49,MD5=C61B7C651D539D3E3011E5A453D18540,SHA256=8CCAFAF72346F2906572A3526345BAF8A6A8AE7D404CDEEB287AC43E97FD9AFD,IMPHASH=8FE4FCB04892389A908C2C6441C91937","ImageLoaded":"C:\\Windows\\System32\\drivers\\usbd.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14146,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.636266Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C43C649B54960974F78BDB8E40B234B6F3066238,MD5=29BF5C648DB22AF7756669E74CFAB00E,SHA256=DA23FE8CFF2DB8AB63CB432C75D82240B08F81F08AC81F911E9B864A38803C0E,IMPHASH=5811E9077864C66FDABA96F172528C63","ImageLoaded":"C:\\Windows\\System32\\drivers\\usbhub.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14147,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.642393Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=D801B46AA9C05AF6B7E7D15234668DA9C9E962C3,MD5=32B653F3362D81915932B543A2364997,SHA256=A71BC97EC4B514D27F69C27A955898C5B434EA53AE1486727DE6ED868F0B6665,IMPHASH=F4C1064A50A8A7233A5B15A3D23B9431","ImageLoaded":"C:\\Windows\\System32\\drivers\\USBHUB3.SYS","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.419"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14148,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.650522Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=34417C5D0AF9C198A70C70112EE51BAC2239D0E8,MD5=1F6D6E31D58B5DFF25C62D2AC1F870C9,SHA256=185F13352561F67876DB587EE7A05A734D126D95CE7C3EF6480E9C48F719A8C5,IMPHASH=C3810E2DE20858668970233F32D7E85C","ImageLoaded":"C:\\Windows\\System32\\drivers\\HdAudio.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.435"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14149,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.659202Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=F94B447F2EBBB54D2FCB46C644811283E5652A58,MD5=3C7355642729C37756CA44149F48D9DF,SHA256=953884AA2847258E26A6CFAF3EDC1CF0970402DE7337A31664E3623F73339C57,IMPHASH=8EAAF11F04D24719BAD12D66D688A14C","ImageLoaded":"C:\\Windows\\System32\\drivers\\usbccgp.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.749"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14150,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.664369Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=145277386DB2948D71FC9C2B4280B5AA90D5A44C,MD5=EA0F255FF92DF15A4E5CF1E754FE078D,SHA256=D414E7E46F507EACD3EDA22BA533A04C4951FD1A04E92D6F14AFE1A2CC174107,IMPHASH=F9A0A482277516FDC3C8D46C730B1D18","ImageLoaded":"C:\\Windows\\System32\\drivers\\hidparse.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.755"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14151,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.670953Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=CE4F152F3F233850CE519499502AB211DCE9712D,MD5=C4BCF7592454403CB76B72F66C0DC92E,SHA256=D13D5224B0BBC22F61033FB33685016C34593608A6315169276FC818F3DD6672,IMPHASH=D5BA67C16DB2DCEE4525994CAB22D506","ImageLoaded":"C:\\Windows\\System32\\drivers\\hidclass.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.757"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14152,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.678599Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=929D463F1BD5388C8087731129C5E33D899C40C3,MD5=FCE15806F5ECC17CC7B062A7A5F4A19F,SHA256=6C30792A8D4EFA8D2925500169687AB5EA7618916B3C61451A560FC0A0A47475,IMPHASH=1AC9DB1AB206846E11F90E8DD2128C59","ImageLoaded":"C:\\Windows\\System32\\drivers\\hidusb.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.758"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14153,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.684814Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=CF5AE4B237ACDDCE9313E0476AED7C2DAA1DFDBC,MD5=4CA2D1EE44BE5A4B7C1640C2488EC677,SHA256=41C0EC9CF9FDC274591326F96CB31B5D8B59D9A7981AEC003BA5F63C0FD49166,IMPHASH=998EFE9A1A877527F4F352B817F15F1A","ImageLoaded":"C:\\Windows\\System32\\drivers\\mouhid.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.762"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14154,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.690586Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=8CAC1BAF3DBEAF97C08EEE02CB3544FAFEE96967,MD5=4CAE62B292925DFC5041390D1E9BF85A,SHA256=DCB6EC911D40B73CEB3029F08E31AA2439A78441FB77D76D1B35E1EDD3C49AF3,IMPHASH=874E3DFBBF2C8938646FEB7C8C58016D","ImageLoaded":"C:\\Windows\\System32\\drivers\\vmusbmouse.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:56.764"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14155,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.697564Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=B9C24B5EB588662AFE980BFCAAD9F50D57AECDD0,MD5=6C5842E963A96A69354CCB3D75287A64,SHA256=B2FAA0958A0F380513AD864EC902C3D38A7350EC6126DF0032C9C6ACDE0F2BDE,IMPHASH=8E1048874606F9DFB652BE03DEC7E665","ImageLoaded":"C:\\Windows\\System32\\drivers\\bthport.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:57.072"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14156,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.711100Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=56AF22442D50E7F580261D71F0F04F21FA8E0C7B,MD5=0795D38A537147CD9BCAD92F47AA0547,SHA256=E190B403BF713EF159126C5F9DA877F483269042DA549B02C0918F0A95AB7336,IMPHASH=A675134C906C99ACC5B50E132F703570","ImageLoaded":"C:\\Windows\\System32\\drivers\\BTHUSB.SYS","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:57.088"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14157,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.717408Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" SignatureUpdate -ScheduleJob -RestrictPrivileges","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Malware Protection Command Line Utility","FileVersion":"4.8.10240.16384 (th1.150709-1700)","Hashes":"SHA1=32F82F6961A8F56A7DB9D553F36312D86030BAA4,MD5=B34408F254195B40BD207843C784A5B1,SHA256=CA5F91A0D4DDB6D4A0F2DA328F10DB693C8A31719FA763FF065ED82769E875EF,IMPHASH=C3DE81DF75C0892C1B40C8742D63AF1E","Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"MpCmdRun.exe","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MsMpEng.exe\"","ParentImage":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","ParentProcessGuid":"21207A7E-6EBD-5D77-0000-0010D4EA0100","ParentProcessId":580,"ProcessGuid":"21207A7E-6EC0-5D77-0000-0010D7F70200","ProcessId":2616,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:04.685"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14158,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.722798Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C49F32C866FEA27CD2367465B2F9ED318FA84E44,MD5=4BB504C3158A5DE28E30B73A124D97FA,SHA256=E79F7A39815FBCF3EE9FCA5BC17206BAA3515CE27C2A9B0EE6D00C958F03FD2C,IMPHASH=9F870D607E507CFFA8F97C957C2EEA4A","ImageLoaded":"C:\\Windows\\System32\\drivers\\rfcomm.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:57.407"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14159,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.731862Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows","Description":"Console Window Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=7DF3BFA4BE09BFCCB10FE356CE45879364A0D2DC,MD5=4287D2FA46FDBFF6100455367C2D7C65,SHA256=6FB167673720640FF09E013432602E6AC9FF33D77DD8C3E4683C89D10B8E9951,IMPHASH=E8B06FF0246662E89A672B447A7462BC","Image":"C:\\Windows\\System32\\conhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"CONHOST.EXE","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" SignatureUpdate -ScheduleJob -RestrictPrivileges","ParentImage":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ParentProcessGuid":"21207A7E-6EC0-5D77-0000-0010D7F70200","ParentProcessId":2616,"ProcessGuid":"21207A7E-6EC0-5D77-0000-001048FD0200","ProcessId":2632,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:04.735"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14160,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.735707Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=D61E17DC6A4D6162166307B611D72D3E5FEC87FD,MD5=5CAFDDCFFC69258B208061DA9EF3CEA5,SHA256=765CA5E5FAA299F0FAEF59A93D0AA80CFB9B64281867A6BBD47CA841B261997A,IMPHASH=F34DFA5053A1E642329749F29E2A3B88","ImageLoaded":"C:\\Windows\\System32\\drivers\\bthenum.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:57.407"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14161,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.761289Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=AA4923FAE91E70CC1825AE7FD3D3C4AB4B8806DC,MD5=B22D830BB547F09BD1028A189A602F74,SHA256=B059A7104B56F00572D9CFE6D137E006010FBE312D5FED239BCDBF7E9823F6B7,IMPHASH=05B91942EF91668083AC5B7896C09EA2","ImageLoaded":"C:\\Windows\\System32\\drivers\\bthpan.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:57.407"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14162,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.770652Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=A6DB682794E4A058F5A9FD3C93B63B766703868B,MD5=19A18FAA24959FF81EF7D71B0B6F150C,SHA256=9A0ECAC6ADE8D5D4407C5103B3270EF430EB01B3269BB3DAA765EF86A835906D,IMPHASH=CC41646B9420FE3B05BDA954719DE2E9","ImageLoaded":"C:\\Windows\\System32\\win32kbase.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.048"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14163,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.787666Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" SignatureUpdate -ScheduleJob -RestrictPrivileges -Reinvoke","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Malware Protection Command Line Utility","FileVersion":"4.8.10240.16384 (th1.150709-1700)","Hashes":"SHA1=32F82F6961A8F56A7DB9D553F36312D86030BAA4,MD5=B34408F254195B40BD207843C784A5B1,SHA256=CA5F91A0D4DDB6D4A0F2DA328F10DB693C8A31719FA763FF065ED82769E875EF,IMPHASH=C3DE81DF75C0892C1B40C8742D63AF1E","Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"MpCmdRun.exe","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" SignatureUpdate -ScheduleJob -RestrictPrivileges","ParentImage":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ParentProcessGuid":"21207A7E-6EC0-5D77-0000-0010D7F70200","ParentProcessId":2616,"ProcessGuid":"21207A7E-6EC0-5D77-0000-0010AF010300","ProcessId":2664,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:04.810"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14164,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.811926Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=B94D154511E1414A0044A746D704033A99F44D5C,MD5=3826FA773D8AC2CCC0D14D45419AEE72,SHA256=5206D5CA5433A9C5AFBD9A964758317D3BF835A85D31A99C83C9FFB951CCFB14,IMPHASH=92E629D4AEA2CAA154A08184FC8ADA3A","ImageLoaded":"C:\\Windows\\System32\\win32kfull.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.079"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14165,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.832618Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ProcessGuid":"21207A7E-6EC0-5D77-0000-0010D7F70200","ProcessId":2616,"RuleName":"","UtcTime":"2019-09-10 09:37:04.834"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14166,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.835509Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C91F2E75DED73F291643023BA582297ED02CA80C,MD5=59A1BA3738EF688A346DF9C6D2CA433D,SHA256=0CA7FE99D204FA4BB25E665E0C53C2ADB04F565F8B3364AA7FC538794FDBF534,IMPHASH=2779FE4017D1E856029B190D17F6974C","ImageLoaded":"C:\\Windows\\System32\\win32k.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.079"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14167,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.850326Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=30AF53F54C43AB50ED67CEEA94F54F8B5A90C87B,MD5=A812535D482611603F677494118F45FE,SHA256=0F3AF63FBECB91AACEC7A927D46C258EA5BF30AFB0E96A584567BFE244D39878,IMPHASH=ECC6886103E1A1715D5682229CB58362","ImageLoaded":"C:\\Windows\\System32\\drivers\\dxgmms1.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.344"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14168,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.856425Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=AA21EB2A547610779AAFB4FD78624BEF05EE3525,MD5=E6AD58FFB2091E5EE58A6DBE3D66B11A,SHA256=C6E38FECDFE77142A858D1D03323968940AB4473E6E7346E7856FBAF585B8794,IMPHASH=6E85CB2BB55B462FE1016F8F51BD4FF1","ImageLoaded":"C:\\Windows\\System32\\drivers\\dxgmms2.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14169,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.863351Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\conhost.exe","ProcessGuid":"21207A7E-6EC0-5D77-0000-001048FD0200","ProcessId":2632,"RuleName":"","UtcTime":"2019-09-10 09:37:04.850"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14170,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.864682Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=9FC3976747B826783E6DC84352A0E3EE7B1E7904,MD5=8F8E9A76D13B01B6170EF5DB084356A2,SHA256=B6E98D5A996040BF4EFB77691C3B102C11EB4DDE0DA6EFEA4F7D72DEE64ED221,IMPHASH=961210B654A00631D6E6692C31EB326C","ImageLoaded":"C:\\Windows\\System32\\drivers\\monitor.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.360"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14171,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.872600Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=69B8C82DE5BE7E73A2E1368ABD262A7122C62F39,MD5=756F86E6EA3B153B1D0976433497C956,SHA256=452A4CA0F3FB1EBE804209750617BC94E6214ECC6366E10DA016C151652A76B5,IMPHASH=0BFCBF136E39F5BCDCA5B812FEB9FA47","ImageLoaded":"C:\\Windows\\System32\\tsddd.dll","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14172,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.930667Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=69B8C82DE5BE7E73A2E1368ABD262A7122C62F39,MD5=756F86E6EA3B153B1D0976433497C956,SHA256=452A4CA0F3FB1EBE804209750617BC94E6214ECC6366E10DA016C151652A76B5,IMPHASH=0BFCBF136E39F5BCDCA5B812FEB9FA47","ImageLoaded":"C:\\Windows\\System32\\tsddd.dll","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.375"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14173,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.930859Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=845133A7C1812C6AE42FEB2D61387D314CFB44A6,MD5=CE928C1D34FCEE7F81B676D7744BAC15,SHA256=5A6E8B6D7247E88799AC25D4C99F31FFB68C8B9914744A85943CAB83044FDA32,IMPHASH=0617CE202204B65745D685597B2F23D5","ImageLoaded":"C:\\Windows\\System32\\cdd.dll","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:58.407"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14174,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.938266Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=788A1B0417C0F76DD1DD22997B057ABC32E1CF88,MD5=3B9F3769F26C6EA7759D77AAAA24AA60,SHA256=0735EBF9D143D8D901FBE6B240C2C326B341B4B574091D098A156E69C03D0460,IMPHASH=67B058C20627DCD5B0D7933DE9176605","ImageLoaded":"C:\\Windows\\System32\\drivers\\luafv.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.184"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14175,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.948690Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=82D88458E7C1F4774574E042BCED93B8EA276A8C,MD5=2BB6C9C6DEE4A991557A4DC1F1425258,SHA256=138477BBDA00A2EC88095E71CC432918B0737A565098B87DD16228819FAF017C,IMPHASH=4C088383F1C66671646BD7DB3CC322F5","ImageLoaded":"C:\\Windows\\System32\\drivers\\storqosflt.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.215"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14176,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.954584Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=3551AC82FC1E568E0DB90DCEF73125212925A6A7,MD5=F3088828CA8E7C6CE1CE37A4B036C2EB,SHA256=2670A41D980A7299A454433B1CA3E75B28F0DD94D7CDF946F7308BFBA1E3C0F1,IMPHASH=35AD818DCC224F8BB76CBB8C2FA9E501","ImageLoaded":"C:\\Windows\\System32\\drivers\\lltdio.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.590"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14177,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.964899Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=1472ED3BD9475063A6F163ECC37E67E4B75983F8,MD5=24266551599B47E98978A546DC3D1A23,SHA256=C58385DB3F491F82C0C5E20BCFCC61873A14BBA7FB97CC37B590129695CE7D79,IMPHASH=3999E2EFF186294FF8E0F59CA091CEE8","ImageLoaded":"C:\\Windows\\System32\\drivers\\rspndr.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.590"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14178,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.971860Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=10FC30C7800A87E2E56A2374C02F15B27A5D1859,MD5=3EAB76F5D8636EA78ECF5F78A238F465,SHA256=03F33B388CB61473D35D452401A7310874D79A4BC6A5C9BA9FA58C53ED50DC6C,IMPHASH=DF739E1B7F2EE49396DEABC39B29E2C6","ImageLoaded":"C:\\Windows\\System32\\drivers\\mslldp.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.590"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14179,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.985899Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Malware Protection Command Line Utility","FileVersion":"4.8.10240.16384 (th1.150709-1700)","Hashes":"SHA1=32F82F6961A8F56A7DB9D553F36312D86030BAA4,MD5=B34408F254195B40BD207843C784A5B1,SHA256=CA5F91A0D4DDB6D4A0F2DA328F10DB693C8A31719FA763FF065ED82769E875EF,IMPHASH=C3DE81DF75C0892C1B40C8742D63AF1E","Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"MpCmdRun.exe","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MsMpEng.exe\"","ParentImage":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","ParentProcessGuid":"21207A7E-6EBD-5D77-0000-0010D4EA0100","ParentProcessId":580,"ProcessGuid":"21207A7E-6EC0-5D77-0000-0010B50D0300","ProcessId":2700,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:04.991"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14180,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.992297Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=42F533D761B65F1F53F5B487838C67921A3A9434,MD5=2D3AF85F7C2B5400B3347F3A799FBBBB,SHA256=FAE68568EACBF3C4250E60079A7EBD19E52A6FC6C628C2B0445289175452DDB1,IMPHASH=776E639E74A1BAC3CDCF97B890F72A56","ImageLoaded":"C:\\Windows\\System32\\drivers\\http.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.668"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14181,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:04.995431Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=6AADA4E28B78837B5E413669EAB27619D47A289D,MD5=A21E89AC3D4E897673916CF8B1C97930,SHA256=8EED49D1B1BFCCE3C9E6CA1ABECD9FE97F710DFD25A6A6C20745EB4AA6264BEB,IMPHASH=4FEAB6FF9A5C8BBDDC27DFC7ECCB7C5E","ImageLoaded":"C:\\Windows\\System32\\drivers\\bowser.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.746"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14182,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.002180Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows","Description":"Console Window Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=7DF3BFA4BE09BFCCB10FE356CE45879364A0D2DC,MD5=4287D2FA46FDBFF6100455367C2D7C65,SHA256=6FB167673720640FF09E013432602E6AC9FF33D77DD8C3E4683C89D10B8E9951,IMPHASH=E8B06FF0246662E89A672B447A7462BC","Image":"C:\\Windows\\System32\\conhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"CONHOST.EXE","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate","ParentImage":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ParentProcessGuid":"21207A7E-6EC0-5D77-0000-0010B50D0300","ParentProcessId":2700,"ProcessGuid":"21207A7E-6EC1-5D77-0000-0010380F0300","ProcessId":2708,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:05.007"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14183,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.008228Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=BB3B1719DAFEE20775ED811DB6BCEF7DF91F0AA3,MD5=0AFDF5734DAF0D1438802CF22238518C,SHA256=E3668FA75EE63463B4AEDDEBE47DDA79B1A986A1764DE235069B074B5B48D93E,IMPHASH=496033D337C4804C9635842CFFC763A9","ImageLoaded":"C:\\Windows\\System32\\drivers\\mrxsmb.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.746"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14184,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.013612Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=7B53FA4D7E43D8483BA5A9485BE250D0E565A866,MD5=9D7BA357E013E776773C989EC1AE3A9C,SHA256=82ECCD6F5F40DC58E010B4EF22A982B2249890AC18B98C72EDCB8EB15348FC37,IMPHASH=260C6615CAF7660E417A00BED30FEF17","ImageLoaded":"C:\\Windows\\System32\\drivers\\mrxsmb20.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.746"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14185,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.023917Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=A84E811A300B87105D559D22FCBB4839E314A74F,MD5=798A39673772739535927A6F1BA1D272,SHA256=84F74084ADECFECEF18B7CC2FD10D75C38BEAF493C0D16443852EB70B81ACD50,IMPHASH=C512297F947E6DA664165101F270A1F8","ImageLoaded":"C:\\Windows\\System32\\drivers\\mpsdrv.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:36:59.762"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14186,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.031947Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=F7FBB3F333EC49F69541B96B8EB1ECA86EFCADD6,MD5=FBEA6F67616A51A508ED1D4A82D7594B,SHA256=1AFEE25D100345E7A07B8D931DA69E4F16F39D18D9DD5E1184854B902C274AAF,IMPHASH=5643F6D8C1630D8CAF97D897BEF00E25","ImageLoaded":"C:\\Windows\\System32\\drivers\\srvnet.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.121"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14187,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.039827Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=61300079E4C7893AE1C2674F85B19338AF9945FF,MD5=4A31D5BE69AE15A34B0DB773C2141613,SHA256=1AEEE5FF4352B2E933C541087703E73E14BC73924D394C53D796BA607A62B79E,IMPHASH=E48F7F9C42C1A86150C9F39406D22945","ImageLoaded":"C:\\Windows\\System32\\drivers\\srv2.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.137"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14188,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.059365Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=D86AD3CF83E15F578F6078D8873ABF108856BE63,MD5=D2377D0CCC9396F37FACCF4AA9E0220A,SHA256=A73006708DDE56385A417F6064BFAC16D98FBDC1CB1B524A4B5EB4A96E67A1EE,IMPHASH=2D33BCBA40C41104D31932F3D0E6DDE6","ImageLoaded":"C:\\Windows\\System32\\drivers\\parport.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14189,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.065767Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=C4A357E6AE4C7C6144B8A43C039874BA6E4B4521,MD5=9AC05CFCF13642C090876FBB25A34EB1,SHA256=51040E965D42D11E31D299272014DBA353252D98594477C10820E339D44E8402,IMPHASH=C89706A272347861466CAA49AA5B54E7","ImageLoaded":"C:\\Windows\\System32\\drivers\\vmmemctl.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.168"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14190,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.072316Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=4348AF8341920B40248CD2B50150D0FDC1A9F4EB,MD5=F2DE758271DF527AFF43F015441F295E,SHA256=6C0652BEF1356CAF5F674610439A3A65195F035AA3F1D10D1409E2FBB61C76C0,IMPHASH=FE15099F1CF027FFBBB70E3EB994534C","ImageLoaded":"C:\\Windows\\System32\\drivers\\mmcss.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.184"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14191,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.078083Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=B5A63AEC26D3D5C12E1B9E43ACAF2C970F348C0B,MD5=389FA116A6E2C19E5EF8F3A76DE563D1,SHA256=5B9E936E39ABB564733FFDE6F95FECB2C5EA1D9EAA2294007139DB02C1611206,IMPHASH=B54459101A8B8FD4283BFA7D96EE74A5","ImageLoaded":"C:\\Windows\\System32\\drivers\\srv.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.193"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14192,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.088388Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=CF9C80580AB6CFB0B4B1B1D34CB733156C32D238,MD5=080A2FB8020FA952FA44085F1D920C80,SHA256=4020E29EC130FBEF6D8DF3EA1A30342312B79D28A26D7976EC6DEAA9CB62D4C2,IMPHASH=E75D9C58E7C6EB68AA6053C77DE18C97","ImageLoaded":"C:\\Windows\\System32\\drivers\\Ndu.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.193"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14193,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.101510Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=812A050AC46A3182B1EEFA1A7EE5EDF8B394B047,MD5=01E23FC4207090A59A42193B74D83F5A,SHA256=3EB2603AEC8180BCBDB488CD3A11E6C0542DE902CD333D97C3086AE39078C582,IMPHASH=B59B4F57627CB1B71C100B8F724607A6","ImageLoaded":"C:\\Windows\\System32\\drivers\\PEAuth.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.912"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14194,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.119606Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=7AA42261EB9F58815456E4CC5CE0A4E1EB84871D,MD5=479CF6845501535F459BD18328659B8D,SHA256=91DD63E5A0C7C9E70E1D19495B2C44C020C8546A8277EF187A9DA2CC6DE19CFC,IMPHASH=95A150E655782DB96AF4A165AF407364","ImageLoaded":"C:\\Windows\\System32\\drivers\\mrxsmb10.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:00.928"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14195,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.127095Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=B3D5BA41D80DFE38BF2A5FBCB3B98BDB456327CD,MD5=1511984A27D9A11297E975D836782EF5,SHA256=7E0DA4A38D0D231F61298589ADC66A3BB1C10ABCB1DA813644F1C184EA619A59,IMPHASH=6BD44C8D6CA85C36CAC490610DB875A4","ImageLoaded":"C:\\Windows\\System32\\drivers\\tcpipreg.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:01.053"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14196,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.137214Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=F1809636B1793626397D9ED4ED94180EC3D3F94F,MD5=AA7ABFE1A82DB18108AE6730DB330CE1,SHA256=8E11D416E5185F2CA6F4EF123C6814008C36472081BC72ED7664AF94499C5D27,IMPHASH=9A57634A6335129C6A357160A8A6A50E","ImageLoaded":"C:\\Windows\\System32\\drivers\\WdNisDrv.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:01.068"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14197,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.141905Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=7EE5BFFEA9B43EFED85E3BDE586D9A20F3445B53,MD5=FA952D35BB717A0BF7C03036817D8F10,SHA256=983F07BBB04C82E68C9F3CBF3DA8651D478D0DB5183F92A6079BD17ADED28C19,IMPHASH=9AD82117A6B59DC6DF80B15002F707A5","ImageLoaded":"C:\\Windows\\System32\\drivers\\condrv.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:01.319"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14198,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.149107Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=63D80E720E56FCF35BBDC5939C9FCABD9BC49A75,MD5=4D174DA734DC33791BDC34E895F1AFF0,SHA256=06E194DAFCBA6E37040ACE4972A74CB724E17848476523C4003C92BB42B02056,IMPHASH=922BD71063FAEDE06DBDC67A1520B325","ImageLoaded":"C:\\Windows\\System32\\drivers\\vmhgfs.sys","RuleName":"","Signature":"VMware, Inc.","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:01.850"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14199,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.154529Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=87DD045D5D24AA3FEE92CFE6CE8B60A6CC0A6567,MD5=F03C53C0057FECF9286A26DCFD6599C1,SHA256=197B474422AF9CA26C3D581EA7E34AA99B79EDA90D175C808A87162BF6A4B9B8,IMPHASH=4BF8140AA7940DA4A7A4EBA78C6D9D4F","ImageLoaded":"C:\\Windows\\System32\\drivers\\tunnel.sys","RuleName":"","Signature":"Microsoft Windows","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:02.006"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14200,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.164204Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\Windows Defender\\NisSrv.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Network Realtime Inspection Service","FileVersion":"4.8.10240.16384 (th1.150709-1700)","Hashes":"SHA1=92FF7881838BCA9D687D4D50D42B58F36BBA8739,MD5=9CC5014F1CF23AD232B93898B2CE6D86,SHA256=E74FC2B21758A40BB2CC22CDDB1E6B60C149E602F2688848BFB084A1F4D23CAD,IMPHASH=AE86AEB91F8026D322DF26BAC55D5A69","Image":"C:\\Program Files\\Windows Defender\\NisSrv.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBB-5D77-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"NisSrv.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EC1-5D77-0000-001056200300","ProcessId":2808,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2019-09-10 09:37:05.193"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14201,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:05.206273Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\vssvc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft® Volume Shadow Copy Service","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=5082F642EDD38FA522D730B49C7FCC356F97C034,MD5=0EC04C8B3F905A1F9516D2122CFBD077,SHA256=DBC213AC63E5B38FF8A1BD9BF0FBCE9C9C0939FC47A4313312123512408DAB5B,IMPHASH=0BB7F33B964C2D90E972E0FD247F5944","Image":"C:\\Windows\\System32\\VSSVC.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"VSSVC.EXE","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EC2-5D77-0000-001032420300","ProcessId":2968,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:06.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14202,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:06.283405Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\svchost.exe -k wsappx","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EC6-5D77-0000-001077F60600","ProcessId":3092,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:10.964"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14203,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:10.965861Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ProcessGuid":"21207A7E-6EC0-5D77-0000-0010B50D0300","ProcessId":2700,"RuleName":"","UtcTime":"2019-09-10 09:37:11.506"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14204,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:11.517789Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\conhost.exe","ProcessGuid":"21207A7E-6EC1-5D77-0000-0010380F0300","ProcessId":2708,"RuleName":"","UtcTime":"2019-09-10 09:37:11.506"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14205,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:11.519532Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ProcessGuid":"21207A7E-6EC0-5D77-0000-0010AF010300","ProcessId":2664,"RuleName":"","UtcTime":"2019-09-10 09:37:11.522"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14206,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:11.529438Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\sppsvc.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows","Description":"Microsoft Software Protection Platform Service","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=E2753CF115C7F2E2C6C22BEFF7F937A29510DC56,MD5=95B9AC2F41DFA40CC56AA51F77148932,SHA256=1F71E689CDDECD619FF1CA406F30504BB2B46B045D395FF12075FA65976EE2FD,IMPHASH=11B57C7A9FF623C0F5F8EC485BFF21CB","Image":"C:\\Windows\\System32\\sppsvc.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"sppsvc.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6EC7-5D77-0000-001071410700","ProcessId":3160,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:11.720"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14207,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:11.785298Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\SppExtComObj.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"KMS Connection Broker","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=E09C20B3C10AC828F687B146C0E0F329504023A7,MD5=386627EA8E27AB91B9DD684E4D140C55,SHA256=4FDAEBEC6DCDCE405831671A0642E71BD3382C4452996A50C1DCABD60EB3CC41,IMPHASH=30703062AE3DB4D8E19C67353079248E","Image":"C:\\Windows\\System32\\SppExtComObj.Exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"SppExtComObj.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EC8-5D77-0000-00101B490700","ProcessId":3204,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:12.098"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14208,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:12.106396Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\SLUI.exe\" RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Activation Client","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=464FEA5CD6EE25C5D2CB17560C89252C10190D72,MD5=E28D41C76F1AF19EF677917E275A743B,SHA256=75943C28007AC3653519AC836BACA38632E31F99576E5432DF274B82D65435E3,IMPHASH=64671D84E8B342C40ACA05B407774576","Image":"C:\\Windows\\System32\\slui.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"slui.exe","ParentCommandLine":"C:\\Windows\\system32\\SppExtComObj.exe -Embedding","ParentImage":"C:\\Windows\\System32\\SppExtComObj.Exe","ParentProcessGuid":"21207A7E-6EC8-5D77-0000-00101B490700","ParentProcessId":3204,"ProcessGuid":"21207A7E-6EC8-5D77-0000-0010DA4A0700","ProcessId":3232,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:12.122"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14209,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:12.130706Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\taskhostw.exe","ProcessGuid":"21207A7E-6EBD-5D77-0000-00107FF20100","ProcessId":628,"RuleName":"","UtcTime":"2019-09-10 09:37:12.146"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14210,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:12.161543Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\taskhostw.exe","ProcessGuid":"21207A7E-6EBB-5D77-0000-0010865B0100","ProcessId":1372,"RuleName":"","UtcTime":"2019-09-10 09:37:12.491"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14211,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:12.498971Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\slui.exe","ProcessGuid":"21207A7E-6EC8-5D77-0000-0010DA4A0700","ProcessId":3232,"RuleName":"","UtcTime":"2019-09-10 09:37:13.616"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14212,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:13.617733Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ECA-5D77-0000-00100C5E0700","ProcessId":3304,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:14.099"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14213,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.100335Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"NewThreadId":3348,"RuleName":"","SourceImage":"C:\\Windows\\System32\\winlogon.exe","SourceProcessGuid":"21207A7E-6EBA-5D77-0000-0010698C0000","SourceProcessId":676,"StartAddress":"0x93B8DC60","StartFunction":"","StartModule":"","TargetImage":"C:\\Windows\\System32\\csrss.exe","TargetProcessGuid":"21207A7E-6EBA-5D77-0000-0010C7890000","TargetProcessId":636,"UtcTime":"2019-09-10 09:37:14.131"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":8,"EventRecordID":14214,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":8,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.166309Z"}},"Version":2}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"sihost.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Shell Infrastructure Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=DBE38AF08B382B01B1439812B81BA645ACD999E9,MD5=F7126D3EF8D13B170B179769A99245C5,SHA256=11C4617158E4EC66523ED92DFB07C98FC70F8BE41AA43BB419A3F513E7D6D941,IMPHASH=25FF81C5B4A27B3D8354C3C24A877261","Image":"C:\\Windows\\System32\\sihost.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"sihost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6ECA-5D77-0000-0010596C0700","ProcessId":3352,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.234"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14215,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.255767Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"taskhostw.exe logon","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Tasks","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=6A38BAE4824CD34A98E77DD524335CF01A4BD68B,MD5=881B943EF7081F6D3DB8D4F3B2E22631,SHA256=B42C95B2C9209790B68B36CE98E635D578437D33104436A222B5675793A9F7F1,IMPHASH=6579605FE7754836EE0018C314B4EA8A","Image":"C:\\Windows\\System32\\taskhostw.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"taskhostw.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6ECA-5D77-0000-00104D6E0700","ProcessId":3372,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.270"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14216,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.271749Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Tasks","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=6A38BAE4824CD34A98E77DD524335CF01A4BD68B,MD5=881B943EF7081F6D3DB8D4F3B2E22631,SHA256=B42C95B2C9209790B68B36CE98E635D578437D33104436A222B5675793A9F7F1,IMPHASH=6579605FE7754836EE0018C314B4EA8A","Image":"C:\\Windows\\System32\\taskhostw.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"taskhostw.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6ECA-5D77-0000-0010406F0700","ProcessId":3388,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.279"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14217,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.281626Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\taskhostw.exe","ProcessGuid":"21207A7E-6ECA-5D77-0000-00104D6E0700","ProcessId":3372,"RuleName":"","UtcTime":"2019-09-10 09:37:14.350"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14218,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.357812Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\System32\\SLUI.exe\" RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=UserLogon;SessionId=1","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Activation Client","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=464FEA5CD6EE25C5D2CB17560C89252C10190D72,MD5=E28D41C76F1AF19EF677917E275A743B,SHA256=75943C28007AC3653519AC836BACA38632E31F99576E5432DF274B82D65435E3,IMPHASH=64671D84E8B342C40ACA05B407774576","Image":"C:\\Windows\\System32\\slui.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"slui.exe","ParentCommandLine":"C:\\Windows\\system32\\SppExtComObj.exe -Embedding","ParentImage":"C:\\Windows\\System32\\SppExtComObj.Exe","ParentProcessGuid":"21207A7E-6EC8-5D77-0000-00101B490700","ParentProcessId":3204,"ProcessGuid":"21207A7E-6ECA-5D77-0000-0010FF770700","ProcessId":3460,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:37:14.367"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14219,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.370832Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"taskhostw.exe USER","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Tasks","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=6A38BAE4824CD34A98E77DD524335CF01A4BD68B,MD5=881B943EF7081F6D3DB8D4F3B2E22631,SHA256=B42C95B2C9209790B68B36CE98E635D578437D33104436A222B5675793A9F7F1,IMPHASH=6579605FE7754836EE0018C314B4EA8A","Image":"C:\\Windows\\System32\\taskhostw.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"taskhostw.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6ECA-5D77-0000-0010A0790700","ProcessId":3476,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.383"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14220,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.387825Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\slui.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Activation Client","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=464FEA5CD6EE25C5D2CB17560C89252C10190D72,MD5=E28D41C76F1AF19EF677917E275A743B,SHA256=75943C28007AC3653519AC836BACA38632E31F99576E5432DF274B82D65435E3,IMPHASH=64671D84E8B342C40ACA05B407774576","Image":"C:\\Windows\\System32\\slui.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"slui.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ECA-5D77-0000-0010AB7B0700","ProcessId":3512,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.424"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14221,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.425348Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\userinit.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Userinit Logon Application","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=94C49ED3D30CBC871E5207FD5961FDFE8A6D058F,MD5=A89C18F5E6D8981D5E937B325290915A,SHA256=54E385EB0873CB53A68B3D53D886463D3B0414130ED1F4E4C0911098518136EA,IMPHASH=0C79B4834B30F0F69FC2C5326DD74AD6","Image":"C:\\Windows\\System32\\userinit.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"USERINIT.EXE","ParentCommandLine":"winlogon.exe","ParentImage":"C:\\Windows\\System32\\winlogon.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010698C0000","ParentProcessId":676,"ProcessGuid":"21207A7E-6ECA-5D77-0000-001014860700","ProcessId":3580,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.519"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14222,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.528097Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\Explorer.EXE","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Explorer","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=FA81654E2791B172E2E73B2F9C0AB414335EBB27,MD5=77DA3B74F4D2ED7A58F081E423688A30,SHA256=AA72F07A9D8A75F4304D6905D6B328072A161ADB6820F845AD2C27EDD1FCD2C0,IMPHASH=690B56DC72EC517094B507C127CCFC79","Image":"C:\\Windows\\explorer.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"EXPLORER.EXE","ParentCommandLine":"C:\\Windows\\system32\\userinit.exe","ParentImage":"C:\\Windows\\System32\\userinit.exe","ParentProcessGuid":"21207A7E-6ECA-5D77-0000-001014860700","ParentProcessId":3580,"ProcessGuid":"21207A7E-6ECA-5D77-0000-001033880700","ProcessId":3596,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.543"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14223,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.590669Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\RuntimeBroker.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Runtime Broker","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D768A7973C62F4648B53546326E46B67D10251DD,MD5=FF407024A88F3346FB832914E94EC48F,SHA256=8F3BA508F6A07D312E15047E797F31C8609253510664575CA1A1F8CEFA7DD5C1,IMPHASH=F43BE416C102ABE109A0659405ABF4DC","Image":"C:\\Windows\\System32\\RuntimeBroker.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"RuntimeBroker.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ECA-5D77-0000-00101E940700","ProcessId":3648,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:14.709"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14224,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:14.716822Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Windows Search Indexer","FileVersion":"7.00.10240.16384 (th1.150709-1700)","Hashes":"SHA1=1DF820DB6BC9CD7BD813926116128BA9C9A10006,MD5=714657E45CD21F37B40447E81F2583D6,SHA256=D183A60F030FC12B30A25C49EC2F761A7778D10969589F481C6F6749A8A8BCD9,IMPHASH=7BF33B66AD1997B458E4978D6AA14D34","Image":"C:\\Windows\\System32\\SearchIndexer.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"SearchIndexer.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6ECB-5D77-0000-0010EFB30700","ProcessId":3724,"Product":"Windows® Search","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:15.133"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14225,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:15.152012Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe\" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\","Description":"Windows Shell Experience Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=47F2C7CA4955F74A386E6EBE60DA3AAAEBCBE352,MD5=6AFE86CC3DE663DE2D8F1E3252382F24,SHA256=80EEED5632FB6882786BF246265B3BF889008292048AE369FF462FAC89BECA8A,IMPHASH=D40F706952DC604AF902E2EFD8A5C21B","Image":"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"ShellExperienceHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ECB-5D77-0000-001087DC0700","ProcessId":4020,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:15.808"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14226,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:15.827427Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\slui.exe","ProcessGuid":"21207A7E-6ECA-5D77-0000-0010FF770700","ProcessId":3460,"RuleName":"","UtcTime":"2019-09-10 09:37:15.959"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14227,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:15.975232Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\slui.exe","ProcessGuid":"21207A7E-6ECA-5D77-0000-0010AB7B0700","ProcessId":3512,"RuleName":"","UtcTime":"2019-09-10 09:37:15.975"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14228,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:15.980747Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe\" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Search and Cortana application","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=7B5F503E40A71019D7CD7B7C0B48AE6BC6A8C8CD,MD5=E83AEECA36AE328882FB334F2DE32EAF,SHA256=7F782BD3846D281A29891938EDC31A46F34BE3781272A3E9A0412E15DF38B621,IMPHASH=40F4C491C811D0002F144F1E97629E01","Image":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"SearchUI.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ECC-5D77-0000-0010B7EB0700","ProcessId":1672,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:16.151"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14229,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:16.208317Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\LogonUI.exe","ProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6040100","ProcessId":948,"RuleName":"","UtcTime":"2019-09-10 09:37:17.443"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14230,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:17.453719Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\taskhostw.exe","ProcessGuid":"21207A7E-6ECA-5D77-0000-0010A0790700","ProcessId":3476,"RuleName":"","UtcTime":"2019-09-10 09:37:17.896"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14231,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:17.907159Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe1_ Global\\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Windows Search Protocol Host","FileVersion":"7.00.10240.16384 (th1.150709-1700)","Hashes":"SHA1=A0E317A76134A49D1F10D82DD5E36BB510F058A6,MD5=84EB6D7AF73E10486135F1525168F9CF,SHA256=9EA9FF5EECACFD5E6E24E8EC67C4FACBE3BA87734D1A4D208D024449BC853E7F,IMPHASH=86120B538168BB8DDA7AA8AC9FDA326E","Image":"C:\\Windows\\System32\\SearchProtocolHost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"SearchProtocolHost.exe","ParentCommandLine":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","ParentImage":"C:\\Windows\\System32\\SearchIndexer.exe","ParentProcessGuid":"21207A7E-6ECB-5D77-0000-0010EFB30700","ParentProcessId":3724,"ProcessGuid":"21207A7E-6ECD-5D77-0000-001098640800","ProcessId":1372,"Product":"Windows® Search","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:17.965"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14232,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:17.969770Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\SearchFilterHost.exe\" 0 612 616 624 8192 620 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Windows Search Filter Host","FileVersion":"7.00.10240.16384 (th1.150709-1700)","Hashes":"SHA1=50D067B8AD83AEDEC6874032744123577B5C3946,MD5=675CBA18E97CF6AE918100665451F4D3,SHA256=A149F35ED144E34B0652007F0382536BDB36258FBC3068459B64AB6C54B86952,IMPHASH=E300F39176345F8F5EA7ABC22320ACDD","Image":"C:\\Windows\\System32\\SearchFilterHost.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"SearchFilterHost.exe","ParentCommandLine":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","ParentImage":"C:\\Windows\\System32\\SearchIndexer.exe","ParentProcessGuid":"21207A7E-6ECB-5D77-0000-0010EFB30700","ParentProcessId":3724,"ProcessGuid":"21207A7E-6ECD-5D77-0000-0010D0660800","ProcessId":3240,"Product":"Windows® Search","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:17.985"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14233,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:17.989299Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\wermgr.exe\" \"-outproc\" \"0\" \"1028\" \"6912\" \"4880\" \"6964\" \"0\" \"0\" \"0\" \"0\" \"0\" \"0\" \"0\" \"0\" ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Problem Reporting","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=9727C90F54E065A239790390941E6D3B9973300B,MD5=BCFF424B4D86A1F0AEE494BFBA96B467,SHA256=E278FDDAE847FD76C8E52D84E0610C1F4D78FADAF32D04AB4E0FF7C2898147EE,IMPHASH=B2F9441EB32EA474D2BFDC19E68A2ECC","Image":"C:\\Windows\\System32\\wermgr.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"WerMgr","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6ECE-5D77-0000-00107B800800","ProcessId":1968,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:18.528"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14234,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:18.532288Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wermgr.exe -upload","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows Problem Reporting","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=9727C90F54E065A239790390941E6D3B9973300B,MD5=BCFF424B4D86A1F0AEE494BFBA96B467,SHA256=E278FDDAE847FD76C8E52D84E0610C1F4D78FADAF32D04AB4E0FF7C2898147EE,IMPHASH=B2F9441EB32EA474D2BFDC19E68A2ECC","Image":"C:\\Windows\\System32\\wermgr.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"WerMgr","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6ECE-5D77-0000-0010F3830800","ProcessId":964,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:18.571"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14235,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:18.572476Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\wermgr.exe","ProcessGuid":"21207A7E-6ECE-5D77-0000-00107B800800","ProcessId":1968,"RuleName":"","UtcTime":"2019-09-10 09:37:18.569"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14236,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:18.573663Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\dllhost.exe","ProcessGuid":"21207A7E-6ECA-5D77-0000-00100C5E0700","ProcessId":3304,"RuleName":"","UtcTime":"2019-09-10 09:37:19.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14237,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:19.210885Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\mobsync.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Sync Center","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=CCDA739C4D0C34BBE2378D32051333B4ADE751B1,MD5=286B06B8DBC6520E46DF8F4086145C36,SHA256=4CD4DA575608694123741E4A19F2AD3A9A5B7F41207258F2CDD7434C04868A0F,IMPHASH=E82E489CBE44F910D232DA4A39204282","Image":"C:\\Windows\\System32\\mobsync.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"mobsync.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ED0-5D77-0000-00100FA90800","ProcessId":3316,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:20.681"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14238,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:20.685371Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Provider Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=34A322B2EF10C4E14D48995E56E4713011749309,MD5=834639C9DB8BFA558EE3714E7D61BF27,SHA256=D4C0038ED86C0A021095CFB85FA4D30BD9626E35CF934C0E8F5BB4C55DE1064C,IMPHASH=ACAC5A7B11D5E304A3AFB1A50B6D3941","Image":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"Wmiprvse.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ED1-5D77-0000-00106CC00800","ProcessId":1968,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:21.893"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14239,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:21.895783Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ED2-5D77-0000-001028D50800","ProcessId":4108,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:22.071"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14240,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.072939Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6ED2-5D77-0000-001028D50800","ProcessId":4108,"RuleName":"","UtcTime":"2019-09-10 09:37:22.147"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14241,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.153071Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9100|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll+28f86|C:\\Windows\\system32\\mscoree.dll+28ae5|C:\\Windows\\system32\\advapi32.dll+119a5|C:\\Windows\\system32\\advapi32.dll+12866|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.147"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14242,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.172213Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9100|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll+28f86|C:\\Windows\\system32\\mscoree.dll+28ae5|C:\\Windows\\system32\\advapi32.dll+119a5|C:\\Windows\\system32\\advapi32.dll+12866|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.147"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14243,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.172388Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9226|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14244,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.174337Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9226|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14245,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.174381Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14246,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.176350Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.162"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14247,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.176395Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.178"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14248,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.187281Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.178"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14249,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.187325Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14250,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.222037Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+361c3","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.209"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14251,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.222084Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\wbem\\WmiApSrv.exe","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"WMI Performance Reverse Adapter","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=45FA774ED0366D20AE696C5523AC57A1E33A00FB,MD5=154C06735F0EE1D62D75864008BA2C2E,SHA256=47902FDAFE82E97028FE1DFBA8F51FF940DA2AB29E037F29BB7C164064DD2E72,IMPHASH=44E8C7F2BD507B81D492ED2A324B200F","Image":"C:\\Windows\\System32\\wbem\\WmiApSrv.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"WmiApSrv.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentImage":"C:\\Windows\\System32\\services.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-0010C6960000","ParentProcessId":740,"ProcessGuid":"21207A7E-6ED2-5D77-0000-0010BCEF0800","ProcessId":4164,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:22.241"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14252,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.244565Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.429"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14253,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.440007Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.429"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14254,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.440053Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\System32\\perfproc.dll+30e3|C:\\Windows\\System32\\perfproc.dll+3015|C:\\Windows\\System32\\perfproc.dll+2cad|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+11412|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217|C:\\Windows\\SYSTEM32\\pdh.dll+335df|C:\\Windows\\SYSTEM32\\pdh.dll+33739|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+ce15|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+d3f2|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+5136","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.444"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14255,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.541023Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.537"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14256,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.551597Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.537"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14257,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.551641Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\System32\\perfproc.dll+30e3|C:\\Windows\\System32\\perfproc.dll+3015|C:\\Windows\\System32\\perfproc.dll+2cad|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+11412|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217|C:\\Windows\\SYSTEM32\\pdh.dll+335df|C:\\Windows\\SYSTEM32\\pdh.dll+33739|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+ce15|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+d3f2|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+5136","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.553"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14258,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.647450Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.631"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14259,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.648784Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+9273|C:\\Windows\\system32\\mscoree.dll+28139|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+9ef3|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.631"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14260,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.648870Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\System32\\perfproc.dll+30e3|C:\\Windows\\System32\\perfproc.dll+3015|C:\\Windows\\System32\\perfproc.dll+2cad|C:\\Windows\\system32\\advapi32.dll+125f2|C:\\Windows\\system32\\advapi32.dll+12cea|C:\\Windows\\system32\\KERNELBASE.dll+ab982|C:\\Windows\\system32\\KERNELBASE.dll+aacc3|C:\\Windows\\SYSTEM32\\pdh.dll+11412|C:\\Windows\\SYSTEM32\\pdh.dll+85d3|C:\\Windows\\SYSTEM32\\pdh.dll+36217|C:\\Windows\\SYSTEM32\\pdh.dll+335df|C:\\Windows\\SYSTEM32\\pdh.dll+33739|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+ce15|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+d3f2|C:\\Windows\\System32\\wbem\\WmiPerfClass.dll+5136","GrantedAccess":"0x1fffff","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":3308,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:22.647"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14261,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:22.737011Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\wermgr.exe","ProcessGuid":"21207A7E-6ECE-5D77-0000-0010F3830800","ProcessId":964,"RuleName":"","UtcTime":"2019-09-10 09:37:24.803"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14262,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:24.808812Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr","Company":"VMware, Inc.","CurrentDirectory":"C:\\Windows\\system32\\","Description":"VMware Tools Core Service","FileVersion":"10.2.5.8049","Hashes":"SHA1=7CAC9CB951E3CE441D95A3A572C1F54186F1C0DD,MD5=7AAF83EEAC84B9C31B19A3AD88817AF7,SHA256=A6D908B8C2DD18D864FF6DB9D18A2A7553F3B86310E6ABF5BC2BC9FACF082DC1,IMPHASH=F08A31F7C1DF83667BDAFD316240BB18","Image":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"vmtoolsd.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"21207A7E-6ECA-5D77-0000-001033880700","ParentProcessId":3596,"ProcessGuid":"21207A7E-6ED7-5D77-0000-0010D1330900","ProcessId":4296,"Product":"VMware Tools","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:27.475"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14263,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:27.479909Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6ED7-5D77-0000-0010693A0900","ProcessId":4328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:27.644"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14264,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:27.645829Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6ED7-5D77-0000-0010693A0900","ProcessId":4328,"RuleName":"","UtcTime":"2019-09-10 09:37:27.756"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14265,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:27.766141Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\pula\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft OneDrive","FileVersion":"17.3.5892.0626","Hashes":"SHA1=67E5C70FF51B7B9A179A3F2854C18547847D038B,MD5=91DD4AD85BB341CC8CF5187EA06FD171,SHA256=68330A5EBDA7E4A51926EC2085D71C11BD2857A6EB1D4749DEE7A6D1D5679B98,IMPHASH=2B3C725E7B349A6943787E254953BC7F","Image":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"OneDrive.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"21207A7E-6ECA-5D77-0000-001033880700","ParentProcessId":3596,"ProcessGuid":"21207A7E-6ED9-5D77-0000-0010DBEF0900","ProcessId":4408,"Product":"Microsoft OneDrive","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:29.451"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14266,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:29.460408Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\mobsync.exe","ProcessGuid":"21207A7E-6ED0-5D77-0000-00100FA90800","ProcessId":3316,"RuleName":"","UtcTime":"2019-09-10 09:37:30.772"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14267,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:30.781910Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\userinit.exe","ProcessGuid":"21207A7E-6ECA-5D77-0000-001014860700","ProcessId":3580,"RuleName":"","UtcTime":"2019-09-10 09:37:35.459"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14268,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:35.462393Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\System32\\rundll32.exe C:\\Windows\\System32\\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Windows host process (Rundll32)","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D07540F29C13983BC0EEE943F0D19968D9A0FA7A,MD5=543C8A2961F38C20438A61B9455E914C,SHA256=58B5E00312DEEE5474CF42F0C86664254AE7123055219C342A80AB5754E48BF6,IMPHASH=A2E75C292B8BFCA7B2A1A8467BEFEECF","Image":"C:\\Windows\\System32\\rundll32.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"RUNDLL32.EXE","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EE7-5D77-0000-00105B200A00","ProcessId":4568,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:43.921"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14269,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:43.925766Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\rundll32.exe","ProcessGuid":"21207A7E-6EE7-5D77-0000-00105B200A00","ProcessId":4568,"RuleName":"","UtcTime":"2019-09-10 09:37:44.193"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14270,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:44.207885Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\SppExtComObj.Exe","ProcessGuid":"21207A7E-6EC8-5D77-0000-00101B490700","ProcessId":3204,"RuleName":"","UtcTime":"2019-09-10 09:37:46.021"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14271,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:46.025248Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\sppsvc.exe","ProcessGuid":"21207A7E-6EC7-5D77-0000-001071410700","ProcessId":3160,"RuleName":"","UtcTime":"2019-09-10 09:37:46.021"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14272,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:46.026709Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"consent.exe 1028 478 08BC8988","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Consent UI for administrative applications","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D665AE8CCC5C2DD711681BFB4606474078795420,MD5=9933BF2EFF401798BF2B382536C9F82C,SHA256=5FAC424BFFC032F5298593ABA198EC6B05E941F6F0DB3201702B357BB6A2D7DC,IMPHASH=8109E59E3FD1BFC421B7B8EE4588D8C9","Image":"C:\\Windows\\System32\\consent.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"consent.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6EEC-5D77-0000-00107B510A00","ProcessId":4640,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:48.063"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14273,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:48.069208Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\AUDIODG.EXE 0x814","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows","Description":"Windows Audio Device Graph Isolation ","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D79C5BB5378E5EEB3221108D940AB26A55113C46,MD5=B82253DA47C0D39924A72F689BBDA6F1,SHA256=20075EC4BCDBD171A6429F91796112A64C32C2392F68705D6EF51A1713DD814E,IMPHASH=9703AE33B2923CE0DD0212619F962E0B","Image":"C:\\Windows\\System32\\audiodg.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBB-5D77-0000-0020E5030000","LogonId":"0x3e5","OriginalFileName":"audioadg.exe","ParentCommandLine":"C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-0010913B0100","ParentProcessId":1076,"ProcessGuid":"21207A7E-6EEC-5D77-0000-00108C5E0A00","ProcessId":4724,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\LOCAL SERVICE","UtcTime":"2019-09-10 09:37:48.283"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14274,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:48.290239Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EED-5D77-0000-0010676A0A00","ProcessId":4776,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:49.513"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14275,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:49.516356Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\consent.exe","ProcessGuid":"21207A7E-6EEC-5D77-0000-00107B510A00","ProcessId":4640,"RuleName":"","UtcTime":"2019-09-10 09:37:49.558"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14276,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:49.595800Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EED-5D77-0000-00105D6D0A00","ProcessId":4816,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:49.600"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14277,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:49.602454Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe\" ","Company":"wj32","CurrentDirectory":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\","Description":"Process Hacker","FileVersion":"2.36.0.6153","Hashes":"SHA1=D3010FA0CC41D422D95C470167186DE5C976625F,MD5=69B5B8B35FBC2B8AD73A37ADDC9052F1,SHA256=7FC0DC49D14BBCD5593332385017A35EA844A8F748DD63DAB63AC3602E5A1D55,IMPHASH=1D3BF3D946834AEC3519F093E042212B","Image":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe","IntegrityLevel":"High","LogonGuid":"21207A7E-6ECA-5D77-0000-0020885A0700","LogonId":"0x75a88","OriginalFileName":"ProcessHacker.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"21207A7E-6ECA-5D77-0000-001033880700","ParentProcessId":3596,"ProcessGuid":"21207A7E-6EED-5D77-0000-0010EF6E0A00","ProcessId":4852,"Product":"Process Hacker","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:49.612"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14278,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:49.625894Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=9FBFCA2DBA81461BC4000147084A367E1480C4FE,MD5=42010D06F8F295DEFFA53B6463B643FD,SHA256=E699D92DDB7164E45257B62F14EFA766B36680C5ED11EBA51639D3932FF346CC,IMPHASH=5002C596F0963A52028F09C38AE6ECAC","ImageLoaded":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\kprocesshacker.sys","RuleName":"","Signature":"Wen Jia Liu","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:49.714"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14279,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:49.740851Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+86139|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+87da9|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1e439|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1000","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe","SourceProcessGUID":"21207A7E-6EED-5D77-0000-0010EF6E0A00","SourceProcessId":4852,"SourceThreadId":4912,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:50.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14280,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:50.304024Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+88900|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1e439|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe","SourceProcessGUID":"21207A7E-6EED-5D77-0000-0010EF6E0A00","SourceProcessId":4852,"SourceThreadId":4912,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:50.058"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14281,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:50.304091Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85a25|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ee7|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+328ae|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1000","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe","SourceProcessGUID":"21207A7E-6EED-5D77-0000-0010EF6E0A00","SourceProcessId":4852,"SourceThreadId":4924,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:50.089"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14282,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:50.330942Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+831ea|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+182af|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ad6|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+85ee7|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+328ae|C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe+1167|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1010","RuleName":"Inyeccion explorer","SourceImage":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe","SourceProcessGUID":"21207A7E-6EED-5D77-0000-0010EF6E0A00","SourceProcessId":4852,"SourceThreadId":4924,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:50.104"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14283,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:50.331154Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Hashes":"SHA1=A2C04684984084EA9D174435487A795C4B36B216,MD5=65C34426C83EFA32D48380A97717997B,SHA256=CD7EB6BFBB0BE382BA21055460D9A72323F09AF3194A22D8EDB28D5DB3BAE8E7,IMPHASH=E2AA52BEA813495FB46F4BD28AAD6DCB","ImageLoaded":"C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpKsl40e4e3b3.sys","RuleName":"","Signature":"Microsoft Windows Hardware Compatibility Publisher","SignatureStatus":"Valid","Signed":"true","UtcTime":"2019-09-10 09:37:51.041"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":6,"EventRecordID":14284,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2596}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":6,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:51.058590Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"c:\\windows\\system32\\\\svchost.exe\"","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Host Process for Windows Services","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=BCAE71BA4068BE87F9D5739AFEC8F7081D00A97E,MD5=A412DEDAC6A1FF7BA06FEB3B6725495E,SHA256=B4853F76DFE066A5B2AEB3166BAC4D6FF1548E9119205F65AC6CAB6D165F9850,IMPHASH=E7C7977A9A81DE6269643983B71B739C","Image":"C:\\Windows\\System32\\svchost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"svchost.exe","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MsMpEng.exe\"","ParentImage":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","ParentProcessGuid":"21207A7E-6EBD-5D77-0000-0010D4EA0100","ParentProcessId":580,"ProcessGuid":"21207A7E-6EEF-5D77-0000-001006CD0A00","ProcessId":4948,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:51.132"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14285,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:51.133590Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"<unknown process>","ProcessGuid":"21207A7E-6EEF-5D77-0000-001006CD0A00","ProcessId":4948,"RuleName":"","UtcTime":"2019-09-10 09:37:51.120"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14286,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:51.134704Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Users\\pula\\Desktop\\processhacker-2.36-bin\\x86\\ProcessHacker.exe","ProcessGuid":"21207A7E-6EED-5D77-0000-0010EF6E0A00","ProcessId":4852,"RuleName":"","UtcTime":"2019-09-10 09:37:53.825"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14287,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:53.831342Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\dllhost.exe","ProcessGuid":"21207A7E-6EED-5D77-0000-0010676A0A00","ProcessId":4776,"RuleName":"","UtcTime":"2019-09-10 09:37:54.539"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14288,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:54.542713Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\dllhost.exe","ProcessGuid":"21207A7E-6EED-5D77-0000-00105D6D0A00","ProcessId":4816,"RuleName":"","UtcTime":"2019-09-10 09:37:54.617"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14289,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:54.620521Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Management Console","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=150F2E6FFEB83CB85249781FF084F0013FA9F055,MD5=1C07D187405F750F33C1F2808FC52516,SHA256=B43B2F20F896657E642F2F5FA07E12E6B2DBF59303A228D2BB33E7B908FDDA42,IMPHASH=F26E292B57876A11FD546B9B5E24E3F5","Image":"C:\\Windows\\System32\\mmc.exe","IntegrityLevel":"Medium","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"mmc.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"21207A7E-6ECA-5D77-0000-001033880700","ParentProcessId":3596,"ProcessGuid":"21207A7E-6EF5-5D77-0000-001048200B00","ProcessId":5232,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:57.818"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14290,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:57.870103Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\mmc.exe","ProcessGuid":"21207A7E-6EF5-5D77-0000-001048200B00","ProcessId":5232,"RuleName":"","UtcTime":"2019-09-10 09:37:57.872"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14291,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:57.890927Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"consent.exe 1028 382 0AA67830","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Consent UI for administrative applications","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=D665AE8CCC5C2DD711681BFB4606474078795420,MD5=9933BF2EFF401798BF2B382536C9F82C,SHA256=5FAC424BFFC032F5298593ABA198EC6B05E941F6F0DB3201702B357BB6A2D7DC,IMPHASH=8109E59E3FD1BFC421B7B8EE4588D8C9","Image":"C:\\Windows\\System32\\consent.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"consent.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k netsvcs","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBB-5D77-0000-001025350100","ParentProcessId":1028,"ProcessGuid":"21207A7E-6EF5-5D77-0000-0010AA210B00","ProcessId":5240,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:57.897"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14292,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:57.898315Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EF5-5D77-0000-00101E2A0B00","ProcessId":5292,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:57.988"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14293,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:57.989428Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\consent.exe","ProcessGuid":"21207A7E-6EF5-5D77-0000-0010AA210B00","ProcessId":5240,"RuleName":"","UtcTime":"2019-09-10 09:37:57.998"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14294,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:58.002067Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"COM Surrogate","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=B475217A1525063D7119E6AC288FB92638490373,MD5=21561B7B85B1C77F00ECA96BC30E9A20,SHA256=D17414E03A595A81D5925CADB099B71335ED54D836B1FDEE3BD0EE28B19EC3EA,IMPHASH=40D2E175C2888C8C61143B657C14F464","Image":"C:\\Windows\\System32\\dllhost.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E7030000","LogonId":"0x3e7","OriginalFileName":"dllhost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EF6-5D77-0000-00106F2C0B00","ProcessId":5328,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\SYSTEM","UtcTime":"2019-09-10 09:37:58.004"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14295,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:58.004725Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Management Console","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=150F2E6FFEB83CB85249781FF084F0013FA9F055,MD5=1C07D187405F750F33C1F2808FC52516,SHA256=B43B2F20F896657E642F2F5FA07E12E6B2DBF59303A228D2BB33E7B908FDDA42,IMPHASH=F26E292B57876A11FD546B9B5E24E3F5","Image":"C:\\Windows\\System32\\mmc.exe","IntegrityLevel":"High","LogonGuid":"21207A7E-6ECA-5D77-0000-0020885A0700","LogonId":"0x75a88","OriginalFileName":"mmc.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","ParentImage":"C:\\Windows\\explorer.exe","ParentProcessGuid":"21207A7E-6ECA-5D77-0000-001033880700","ParentProcessId":3596,"ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:37:58.014"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14296,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:58.016400Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11ed4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+11f61|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+aa62|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a7d2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a3d4|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+8ed5|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":4144,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:58.122"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14297,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:58.126709Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+8273a|C:\\Windows\\system32\\KERNELBASE.dll+cf8c8|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b3e0|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+b820|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+122e2|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a981|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+a515|C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\CorperfmonExt.dll+8ed5|C:\\Windows\\system32\\KERNEL32.DLL+1dea4|C:\\Windows\\SYSTEM32\\ntdll.dll+505ae|C:\\Windows\\SYSTEM32\\ntdll.dll+5057d","GrantedAccess":"0x1400","RuleName":"Inyeccion explorer","SourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","SourceProcessGUID":"21207A7E-6ED1-5D77-0000-00106CC00800","SourceProcessId":1968,"SourceThreadId":4144,"TargetImage":"C:\\Windows\\system32\\lsass.exe","TargetProcessGUID":"21207A7E-6EBA-5D77-0000-00109C970000","TargetProcessId":748,"UtcTime":"2019-09-10 09:37:58.122"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":10,"EventRecordID":14298,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":10,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:37:58.126953Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EF9-5D77-0000-0010C35E0C00","ProcessId":5452,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:38:01.358"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14299,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:01.359534Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6EF9-5D77-0000-0010C35E0C00","ProcessId":5452,"RuleName":"","UtcTime":"2019-09-10 09:38:01.403"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14300,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:01.411677Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" GetDeviceTicket -AccessKey 516B5AE1-184B-2DFA-887F-28B9C57D6B23 ","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\system32\\","Description":"Microsoft Malware Protection Command Line Utility","FileVersion":"4.8.10240.16384 (th1.150709-1700)","Hashes":"SHA1=32F82F6961A8F56A7DB9D553F36312D86030BAA4,MD5=B34408F254195B40BD207843C784A5B1,SHA256=CA5F91A0D4DDB6D4A0F2DA328F10DB693C8A31719FA763FF065ED82769E875EF,IMPHASH=C3DE81DF75C0892C1B40C8742D63AF1E","Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","IntegrityLevel":"System","LogonGuid":"21207A7E-6EBA-5D77-0000-0020E4030000","LogonId":"0x3e4","OriginalFileName":"MpCmdRun.exe","ParentCommandLine":"\"C:\\Program Files\\Windows Defender\\MsMpEng.exe\"","ParentImage":"C:\\Program Files\\Windows Defender\\MsMpEng.exe","ParentProcessGuid":"21207A7E-6EBD-5D77-0000-0010D4EA0100","ParentProcessId":580,"ProcessGuid":"21207A7E-6EFA-5D77-0000-00106EBD0D00","ProcessId":5504,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":0,"User":"NT AUTHORITY\\NETWORK SERVICE","UtcTime":"2019-09-10 09:38:02.289"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14301,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:02.291803Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Program Files\\Windows Defender\\MpCmdRun.exe","ProcessGuid":"21207A7E-6EFA-5D77-0000-00106EBD0D00","ProcessId":5504,"RuleName":"","UtcTime":"2019-09-10 09:38:02.466"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14302,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:02.481458Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\dllhost.exe","ProcessGuid":"21207A7E-6EF6-5D77-0000-00106F2C0B00","ProcessId":5328,"RuleName":"","UtcTime":"2019-09-10 09:38:03.013"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14303,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:03.017331Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\dllhost.exe","ProcessGuid":"21207A7E-6EF5-5D77-0000-00101E2A0B00","ProcessId":5292,"RuleName":"","UtcTime":"2019-09-10 09:38:03.013"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14304,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:03.017369Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6EFE-5D77-0000-00104DAE0F00","ProcessId":5592,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:38:06.915"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14305,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:06.918312Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6EFE-5D77-0000-00104DAE0F00","ProcessId":5592,"RuleName":"","UtcTime":"2019-09-10 09:38:07.607"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14306,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:07.615348Z"}},"Version":3}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.302","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.302","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14307,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.792059Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.302","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.302","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14308,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807579Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_32.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14309,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807672Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14310,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807714Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_96.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14311,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807752Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_256.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14312,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807789Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_768.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14313,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807826Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_1280.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14314,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807864Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_1920.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14315,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807901Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_2560.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14316,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807944Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_sr.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14317,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.807981Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_wide.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14318,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.808087Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_exif.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14319,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.808144Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_wide_alternate.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14320,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.808183Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CreationUtcTime":"2018-11-11 17:32:51.318","Image":"C:\\Windows\\system32\\mmc.exe","PreviousCreationUtcTime":"2018-11-11 17:32:51.318","ProcessGuid":"21207A7E-6EF6-5D77-0000-0010002E0B00","ProcessId":5364,"RuleName":"","TargetFilename":"C:\\Users\\pula\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_custom_stream.db","UtcTime":"2019-09-10 09:38:16.779"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":2,"EventRecordID":14321,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":2,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:16.808222Z"}},"Version":4}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"CommandLine":"\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca","Company":"Microsoft Corporation","CurrentDirectory":"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\","Description":"Background Task Host","FileVersion":"10.0.10240.16384 (th1.150709-1700)","Hashes":"SHA1=0AED09163CC857C7BACAC953461225713DCA09F1,MD5=B7C738367CEA003DC7609993DBE4EFA5,SHA256=4D143A0B6F1FA8AA8235CDD5EE25CCE108E4E5C65B561CF3FC8FE769B9FC6959,IMPHASH=44F48CF86DC5D98588235CD0E909B6C3","Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","IntegrityLevel":"AppContainer","LogonGuid":"21207A7E-6ECA-5D77-0000-0020AD5A0700","LogonId":"0x75aad","OriginalFileName":"backgroundTaskHost.exe","ParentCommandLine":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","ParentImage":"C:\\Windows\\System32\\svchost.exe","ParentProcessGuid":"21207A7E-6EBA-5D77-0000-001087AB0000","ParentProcessId":812,"ProcessGuid":"21207A7E-6F0E-5D77-0000-001065F00F00","ProcessId":5724,"Product":"Microsoft® Windows® Operating System","RuleName":"","TerminalSessionId":1,"User":"DESKTOP-CF2FLGA\\pula","UtcTime":"2019-09-10 09:38:22.675"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":1,"EventRecordID":14322,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":1,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:22.678906Z"}},"Version":5}}}
{"Event":{"#attributes":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event"},"EventData":{"Image":"C:\\Windows\\System32\\backgroundTaskHost.exe","ProcessGuid":"21207A7E-6F0E-5D77-0000-001065F00F00","ProcessId":5724,"RuleName":"","UtcTime":"2019-09-10 09:38:22.732"},"System":{"Channel":"Microsoft-Windows-Sysmon/Operational","Computer":"DESKTOP-CF2FLGA","Correlation":null,"EventID":5,"EventRecordID":14323,"Execution":{"#attributes":{"ProcessID":1912,"ThreadID":2592}},"Keywords":"0x8000000000000000","Level":4,"Opcode":0,"Provider":{"#attributes":{"Guid":"5770385F-C22A-43E0-BF4C-06F5698FFBD9","Name":"Microsoft-Windows-Sysmon"}},"Security":{"#attributes":{"UserID":"S-1-5-18"}},"Task":5,"TimeCreated":{"#attributes":{"SystemTime":"2019-09-10T09:38:22.744672Z"}},"Version":3}}}